Hacker News new | past | comments | ask | show | jobs | submit login

>and I can validate the request based on the origin

Are you talking about the HTTP referer? That's easily spoofable and can't be relied on server-side. The same-origin policy and all the CORS security is implemented in the browser itself, not in HTTP.

If you need to be certain that a request originated from your own page and not another domain you need to use a CSRF token.

I'm talking about the Origin header, which is present on XHR requests and cannot be assigned by code. A CSRF token is not necessary if you require Origin because the origin is not sent with standard HTML forms.

It can be inside of insecure browsers, you're not any more secure than you were before after CORS.

Users with insecure browsers are subjecting themselves to security vulnerabilities, not me. In this case, the service just wouldn’t work for them. Not overly worried about those users because they represent a diminishingly small portion of our user base.

The problem is that you can be unaware. It's also not tracked as a metric. Nobody knows how large or small it is.

Also, it's easily bypassed.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact