CSRF Blocker - block CSRF-attacks the right way

Mathias Karlsson(@avlidienbrunn) has created an extension for Chrome that is designed to stop CSRF-attacks. It's easy to understand how the extension works if you understand how a CSRF-attack is designed.

CSRF Blocker works by checking if the POST-request came from the same domain as the request was sent to, and if that's not the case the extension will not allow any cookies to be sent with the response. So CSRF Blocker never deletes any cookies, it just doesn't allow them to be sent from domain1 -> domain2 once you landed on domain2.

It could also be explained with the following logical statement:
if !GET FROM $current_domain to !$current_domain then strip_cookie_from_header()


Without CSRF Blocker:

With CSRF Blocker:

As you can see in the videos above the cookie was not found when I clicked on the button that POST'ed data to another domain. If I would update the website the cookie would be present, so no cookies are deleted.

This way is so much more convenient than other methods out there. There is HTTP Switchboard(now µMatrix) that can accomplish kinda the same results as CSRF Blocker but the way they works is by completely denying cross-origin requests. CSRF Blocker does not deny anything, it just strips out an HTTP-field.

Also, of course this extension does not protect against websites that does not require cookies as authentication or if there's CSRF in the URL.

CSRF Blocker in Chrome Web Store: https://chrome.google.com/webstore/detail/csrf-blocker/mjbbebkcnlnnpinafjhnekplgomloame

The project on Github: https://github.com/avlidienbrunn/anti-csrf-plugin


Chromium has proposed "First-Party-Cookies" which will do the same thing as CSRF Blocker but the option will be set in the Cookie-field. Unfortunately this has been on hold and is not yet available.