W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 24 Jun 2009 19:06:03 -0700
Message-ID: <7789133a0906241906t6c41fbb8t9368fe3b291ea547@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Wed, Jun 24, 2009 at 6:29 PM, Mark Nottingham<mnot@mnot.net> wrote:
> Right -- and that's why we're modifying referer to allow about: blank.
>
> The question I have is whether this makes Referer adequate for the use cases
> that the various W3C WGs have for Origin (assuming that they'll place
> additional requirements on it).

I'll respond to all the feedback as time permits (hopefully in the
next day or two).  To answer your specific question, the Referer
header doesn't cover the following use case:

1) The honest server changes state in response to a GET request.
2) The honest server let's the attacker inject hyperlinks to untrusted
sites (e.g., as a comment on a news article).

In this case, the honest server cannot use the Referer header as a
CSRF defense.  When the user clicks on the hyperlink, the user agent
will send a GET request to attacker.com with the honest server's name
in the Referer header.  The attacker can then redirect the request
back to the honest server.  The Referer header will still implicate
the honest server, and the honest server will change state
erroneously.

The Sec-From header resolves this issue by including the origins of
each URL in the redirect chain.

Adam
Received on Thursday, 25 June 2009 02:07:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT