Suppose I have an ASP.Net MVC site. How do I lock controller methods (perhaps with an Attribute on the Action) so that HTTP_REFERER must point to my site?
To expand:
I have many JSON actions on my Controllers that are marked [Authorize], to prevent an uncookied* user from getting in.
Someone sneaky builds an attacker webpage and emails it to a user logged-in to my site. That page includes a script that fetches from my JSON Controller action. That causes the user's browser to send a logged-in cookie to my authorized controller method, getting that user's data back to the attacker's webpage, which they can then read and pass elsewhere.
If I could just lock these requests so that HTTP_REFERER must point to my site, a cross-site attack to request the JSON would be prevented. What's the simplest way?
Note that I obviously don't want to lock all requests, JSON, Authorized, or no - people still need to be able to link to the site. But no Authorized JSON request should ever be accessible from anything but pages on our site.
*Yes I made this word up.