W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 25 Jun 2009 11:29:54 +1000
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Message-Id: <71B4ED6B-3736-404E-86CA-B3619C8B48C3@mnot.net>
To: Adam Barth <w3c@adambarth.com>
Right -- and that's why we're modifying referer to allow about: blank.

The question I have is whether this makes Referer adequate for the use  
cases that the various W3C WGs have for Origin (assuming that they'll  
place additional requirements on it).

Cheers,


On 25/06/2009, at 9:28 AM, Adam Barth wrote:

> On Wed, Jun 24, 2009 at 4:08 PM, Henrik
> Nordstrom<henrik@henriknordstrom.net> wrote:
>> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth:
>>> I experimentally measured how often the Origin header is dropped in
>>> the real world, an it is not dropped greater than 99.9% of the time.
>>
>> So the actual motivation for Origin is because Referer is dropped in
>> some networks, while the still unknown Origin header is not dropped  
>> in
>> the same networks?
>
> We've covered this issue before.  You can find the answer by reading
> the whole thread.  In summary, servers cannot distinguish between the
> user agent not sending a Referer header and the header being stripped
> in the network, making it impossible to use the Referer header as a
> CSRF defense without locking out a non-trivial number of users.
>
>> And why is this? Imho simply because the network admins who worry  
>> about
>> Referer do not yet know about Origin. Once they learn about Origin  
>> they
>> will start filtering that header in the same manner as they do with
>> Referer, putting you back on square one, implementing Origin2?
>>
>> Regards
>> Henrik
>>
>>


--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 25 June 2009 01:30:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT