re: Defense Against the Dark Arts: CSRF Attacks VIEW POST


as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.

it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)


It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)


If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.

BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.

So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.

But i like your writing, and that you supply all the information :)

code of conduct - report abuse