W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Thu, 22 Jan 2009 19:46:44 -0600
Message-ID: <49792184.5000702@rowe-clan.net>
To: Adam Barth <w3c@adambarth.com>
CC: "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>

Adam Barth wrote:
> On Thu, Jan 22, 2009 at 3:07 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> 1) CSRF is not a security issue for the Web.  A well-designed Web
>> service should be capable of receiving requests directed by any host,
>> by design, with appropriate authentication where needed.
> 
> Many Web sites contains CSRF vulnerabilities and find it difficult to
> engineer CSRF defenses.  The goal of the Origin header is to make it
> easier for these sites to defend themselves against CSRF attacks.  For
> example, a site can use the header to defend itself against CSRF using
> a simple Web application firewall.

Does a protocol which provides for inherent spoofing methods actually add
value to the design of the application, or simply provide another security
check box which authors can apply to simply be routed about in the very
next request.

If you really wanted to solve this programmaticly, you would add a specific
hash or noonce to identify the origin to itself...

oh wait, nevermind, that's digest authentication.

Bill
Received on Friday, 23 January 2009 01:47:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT