Streaming insertion of tokens into content to protect against CSRF
US8438649B2 · kind B2 · utility
Assignee
Inventor
Key dates
| Filing date | Apr 16, 2010 |
| Grant date | May 7, 2013 |
| Priority date | — |
| Expiry date | Jun 30, 2031 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/2119
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Methods and apparatus are provided for protecting against cross-site request forgeries (CSRFs) by requiring certain requests submitted to a computer server to include specific tokens. The requests involve modification of or access to protected data, and the tokens are inserted by a state machine into content from which the requests are initiated. For example, content that includes a form, a hyperlink, a scripted request or other control for initiating a follow-on request to the server is modified to include tokens. The state machine may scan the content in real time (e.g., as it is served) to identify these controls and to insert the tokens. Using a state machine allows the content to be streamed even as it is scanned, does not require construction of a representation of the content (e.g., a DOM tree), and avoids modifying any of the content other than to insert one or more tokens.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.