A policy of the same origin is necessary to prevent CSRF . Imagine this scenario:
- Bank manager Joe Fatkat has an account in his bank administration backend. This account allows him to receive confidential account information for everyone who is a bank at TBtF Bank. He can even reset someone to indicate a number, transfer funds, change the owner of the account, etc.
- Now, TBtF Bank is putting off Jack the IT Guy. Now he's Jack Declassified Ex-IT-Guy, and he wants revenge on his former employer. Jack does not have access to the bank administration backend, but he knows what Joe is doing.
- So Jack sends his boss an email with a link to the page that Jack created. The page has JavaScript:
var xhr = new XMLHttpRequest(), data = "from="+victimAccount + "&to="+jacksAccount + "&amt=a+gazillion+dollars"; xhr.open("POST", "http://tbtfbank.tld/accounts/wiretransfer.aspx", true); xhr.send(data);
- The next day, Joe arrives at his office and logs into his administrative account, as always, and leaves the tab open in the background.
- Joe sees an email containing links to pictures of Natalie Portman covered in hot mushrooms. Therefore, of course, he clicks on it, opening a malicious web page.
- The browser launches JavaScript on the page and sends an AJAX POST request to the TBtF Bank server site. Since Joe is already registered on the site and has an active session, the banking application accepts the command and pays a million dollars into the account of Jack's offshore bank.
And Jack could just as easily use the same technique to collect thousands of account numbers and pins or any other information that the bank manager has access to through his account.
Fortunately, a policy of the same origin protects us from these types of attacks most of the time, because Jack’s malicious page is hosted in a different domain from a banking application, so it does not allow XHR to be done in a banking application. Although the malicious page may still contain an image that makes a GET request for a banking application, it is important that side effects are not triggered by GET requests and that applications check the referrer header of the requests they receive and take advantage of antivirus applications, Toners CSRF
source share