CSRF prevention in browser plugin-only API that is available on HTTPS

Question

I have to design an API that will support browser plugins only (latest version of Chrome, Firefox, IE). The API will be served over HTTPS. The API will be using a cookie-based access control scheme.

I am wondering what tactics to employ for CSRF prevention. Specifically, I want my API only to get requests from my own browser plugin itself and not from any other pages/plugins.

Would I be able to:

• Assume that in most cases there would be an Origin header?
• Would I be able to compare and trust the Origin header to ensure that the requests only come from a white-listed set of Origins?
• Would this be compatible across the board (Chrome/Firefox/IE)?

I'm aware of multiple techniques used to prevent CSRF, such as the Synchronizer Token Pattern, but I would like to know in my limited scope above, if simply checking the Origin header would be sufficient?

Thanks in advance!

Answer 1

Set a custom header like X-From-My-Plugin: yes. The server should require its presence. It can be a constant. A web attacker can either:

1. make the request from the user's browser: this sends the cookie, but they can't send the custom header cross-origin; or
2. make the request from a different HTTP client: they can send the custom header, but they can't send the cookie because they don't know it

Either way, the attacker's request won't have both the cookie and the custom header.