What are the plans for CSRF?

Jan 18, 2010 at 8:58 PM

I read over on the Security Tools blog that this is [becoming] the "Web Protection Library" and will include cross-site request forgery (CSRF) countermeasures. I have a question about that.

The current countermeasures offered in web forms and MVC with the validation of a request token make the assumption that the browser is trusted. It assumes that the browser will not allow a cross-domain GET request to be inspected such that the token could be parsed out and sent in a newly crafted POST response. That's not entirely a safe assumption considering the various browser security holes that get discovered all the time. Further, it assumes no restricted operation is happening during a GET, which may not be a safe assumption, and it entirely ignores AJAX requests (e.g., an AJAX-enabled WCF service).

My question is: what is the plan for the anti-CSRF countermeasures that will be included in the Web Protection Library? Still the weak POST-only token validation or will there be a more robust/holistic approach?