Hacker News new | comments | ask | show | jobs | submit login

X-Frame-Options (in supported browsers) prevents the result of a request from being rendered in the browser, it doesn't prevent the request itself from being made. So does X-Frame-Options actually prevent this? Is the change to your recommendations made by an AJAX callback when you view the page? I would've assumed it was made by the pageview itself.

I agree that X-Frame-Options isn't the right solution. Here's the comment I posted on the site:


This is a cross-site request forgery (CSRF). To prevent the attack the server needs to disregard the request. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.

The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.

The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).

Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!

Some references for the interested reader:



Perhaps AJAX, but Amazon would probably like to support people without JS, so maybe they log the pageview when the browser requests the product image or something.

They don't. Including a page as an image includes it in my recently viewed items. Don't know about recommendations, as Amazon.co.uk have a kindle letter running.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact