W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 24 Jun 2009 16:28:08 -0700
Message-ID: <7789133a0906241628n3449c012p95856f1462ba54e3@mail.gmail.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Wed, Jun 24, 2009 at 4:08 PM, Henrik
Nordstrom<henrik@henriknordstrom.net> wrote:
> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth:
>> I experimentally measured how often the Origin header is dropped in
>> the real world, an it is not dropped greater than 99.9% of the time.
>
> So the actual motivation for Origin is because Referer is dropped in
> some networks, while the still unknown Origin header is not dropped in
> the same networks?

We've covered this issue before.  You can find the answer by reading
the whole thread.  In summary, servers cannot distinguish between the
user agent not sending a Referer header and the header being stripped
in the network, making it impossible to use the Referer header as a
CSRF defense without locking out a non-trivial number of users.

> And why is this? Imho simply because the network admins who worry about
> Referer do not yet know about Origin. Once they learn about Origin they
> will start filtering that header in the same manner as they do with
> Referer, putting you back on square one, implementing Origin2?
>
> Regards
> Henrik
>
>
Received on Wednesday, 24 June 2009 23:29:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT