InformAction Forums

Is an opportunity to reduce CSRF coming with Firefox implementing Public Key Pinning? Major social media sites and other major sites relying on user identity are migrating from http to https and their known-good certificate authorities are being specified; i.e., pinned.

For Public Key Pinned internet web resources, it would be nice if NoScript’s ABE module could supplement CRSF prevention techniques with a built-in simple rule, such as or similar to:

# Prevent most internet sites from forging user requests to Public Key Pinned resources.
Site PINNED
Accept from PINNED
Deny

But what if an attacker chooses to pin their own site?

In the narrow case where a CSRF attack comes from a location that doesn’t violate the relevant Public Key Pinning Rules within Firefox and ABE’s prospective dealing with them for a targeted website (and Mozilla hasn't revoked/ expired the attack Pin), such a ‘Site PINNED’ ABE rule would not block the attack; i.e., would not add a layer to the relevant anti-CSRF arsenal.

Nevertheless, a such ‘Site PINNED’ ABE rule could from the client-side substantially help NoScript users in reducing the possible CSRF attack surface for major social media, major email and other major sites that rely on self-identified users.

Somewhat similarly, the existing ‘Site LOCAL Accept from LOCAL Deny’ rule, in blocking LAN attacks from the Internet, has value--despite that blocking LAN attacks from the LAN requires other security methods and techniques.