Robert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states:
Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might, reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.I agree completely with R-Snake on this topic. While I would love taking down those trying to view child pornography, I think we should all be scared of a world where someone can simply force you to view a page through CSRF and possibly get you arrested for a very serious crime. It seems like with each new law related to technology, I get more and more scared of even using the internet.
So now the real question is would a user with no referring URL be worthy of investigation?