I agree that X-Frame-Options isn't the right solution. Here's the comment I posted on the site:
--
This is a cross-site request forgery (CSRF). To prevent the attack the server needs to disregard the request. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.
The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.
The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).
Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!
--
This is a cross-site request forgery (CSRF). To prevent the attack the server needs to disregard the request. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.
The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.
The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).
Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!
Some references for the interested reader:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(...