I'd say it's enough. If cross-domain requests were permitted, you'd be doomed anyway because the attacker could use Javascript to fetch the CSRF token and use it in the forged request.
A static token is not a great idea. The token should be generated at least once per session.
EDIT2 Mike is not right after all, sorry. I hadn't read the page I linked to properly. It says:
A simple cross-site request is one that: [...]
Does not set custom headers with the HTTP Request (such as X-Modified, etc.)
Therefore, if you set X-Requested-With
, the request has to be pre-flown, and unless you respond to pre-flight OPTIONS
request authorizing the cross-site request, it won't get through.
EDIT Mike is right, as of Firefox 3.5, cross-site XMLHttpRequests are permitted. Consequently, you also have to check if the Origin
header, when it exists, matches your site.
if (array_key_exists('HTTP_ORIGIN', $_SERVER)) {
if (preg_match('#^https?://myserver.com$#', $_SERVER['HTTP_ORIGIN'])
doStuff();
}
elseif (array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) &&
(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'))
doStuff();
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…