How to mitigate XSRF for ASP.NET MVC Ajax.ActionLink requests?

Question

I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET.

My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete user data from another site. This ActionLink does appear within a form that includes <%= Html.AntiForgeryToken() %> but since ActionLinks don't post the form, the anti-forgery token doesn't go to the controller, so it can't validate it.

Answer 1

This link covers one solution http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html

However the most ideal solution is that when you use the actionlink it adds the Anti Forgery token into the query string so I'm going to try writing my own ActionLink extension method that appends that on.

Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the Request.Form and Request.QueryString

Answer 2

To prevent against Cross-Site Request Forgery attacks you must block requests that originate from another site. In asp.net you can do this by checking to see if Request.UrlReferrer isn't from your host name. If the ajax request originated from a different server, then you should ignore the ajax request. If the referrer is null, then you should also ignore the request.