CSRF/XSRF protection different approach, is it safe?

[eluser]Jelmer[/eluser]
WARNING: I won't delete the post because that'll make the replies useless, but I didn't fully understand CSRF when I wrote this. HTTP_REFERER writing is possible through a CSRF attack when done with old Flash versions for instance, so the solution below is useless.

I wrote a very simple CSRF protection library for myself yesterday which does what every other one does: generate a key and submit it through the session and through a post or get variable and check if both match.

However it got me thinking about a different approach to this problem, by using $_SERVER['HTTP_REFERER'] and check it against a list of permitted URI's. While I know that any HTTP_* variable in $_SERVER is to be considered unsafe - a CSRF attack wouldn't have access to the HTTP headers would it?

If that's true an implementation like below should be safe:

Code:

$this->load->library('csrf_protect');

$allowed_uri = array('certain_page', 'another/page');

if (! $this->csrf_protect->allowed($allowed_uris)) exit('Possible CSRF attack!');

The library would look like this (the code is untested):

Code:

class csrf_protect
{
    var $ci;
    
    function csrf_protect()
    {
        $this->ci =& get_instance();
        $this->ci->load->helper('url');
    }
    
    function allowed($uris)
    {
        if (! is_array($uris)) $uris = array($uris);
        foreach($uris as $uri)
        {
            if (site_url($uri) == $_SERVER['HTTP_REFERER']) return true;
        }
        // if nothing was returned yet, it's not allowed
        return false;
    }

    function domain_refer()
    {
        if (preg_match('/^'.addslashes(substr(site_url(), 0, -1)).'/', $_SERVER['HTTP_REFERER']))
            return true;
        else
            return false;
    }
}

Any thoughts on the security of this?

EDIT
To further clarify: Of course this is ONLY meant as protection against CSRF attacks using an already validated user session of my own. I know it won't protect against any other attacks.

[eluser]tomcode[/eluser]
Don't know about CSRF attacks (will look it up and closely follow this thread ), but You do not need to load the URL helper, You can directly call :

Code:

$this->ci->uri->site_url()

This is an undocumented function in the URI class, which is used by the helper.

[eluser]Jelmer[/eluser]
I've been thinking and doing some Google searches, the biggest danger should come from Flash & Java. Would it be possible for a Flash or Java program running on another site to use my session on my own site and fake the headers before doing so? I'd think those types of applications wouldn't have access to off-site cookies when doing requests but I'm not entirely sure...

tomcode, I know but I have the URL helper autoloaded in all my applications so I'm just used to site_url(). I only loaded the helper here to show it's used in the example.

[eluser]tomcode[/eluser]
I know one Java applet which has access to the local filesytem, it allows multiple drag and drop from a local flie browser window directly into the embedded applet in the web page.

Rad Upload

So it should be possible that it could gain access also to the file containing the cookie infos, but this outpasses my knowledge.

[eluser]Jelmer[/eluser]
That wasn't the kind of access I was worried about. This is about CSRF attacks, attacks through such an application wouldn't typicly be CSRF attacks.

I was worried about an flash or java application requesting stuff from one of my sites while using my existing cookies/sessions. It shouldn't get access when coming from an external site, but when it changes its headers (like the HTTP_REFERER header) it would break the above security measure. And I was wondering wheter such an application would be authenticated with my existing cookies, or wheter it wouldn't be allowed to use those cookies...

No one any knowledge on the safety of the above?

[eluser]t'mo[/eluser]
That's not really safe; the referrer can be manipulated - http://en.wikipedia.org/wiki/Referrer_spoofing