W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 22 Jan 2009 17:47:59 -0800
Message-ID: <7789133a0901221747mb0ac51bi59fbebed8d40e7ef@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net> 

On Thu, Jan 22, 2009 at 4:41 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> I don't understand -- the only case that would be affected
> is the one wherein no Referer is sent today.

The problematic case is when the Referer header is suppressed by the
network (e.g., proxies).  In this case, the Referer header is
suppressed regardless of its value.  Choosing a different value will
not help Web sites defend themselves against CSRF.

Adam
Received on Friday, 23 January 2009 01:48:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT