- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Thu, 22 Jan 2009 19:58:04 -0600
- To: Adam Barth <w3c@adambarth.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Adam Barth wrote: > On Thu, Jan 22, 2009 at 4:41 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >> I don't understand -- the only case that would be affected >> is the one wherein no Referer is sent today. > > The problematic case is when the Referer header is suppressed by the > network (e.g., proxies). In this case, the Referer header is > suppressed regardless of its value. Choosing a different value will > not help Web sites defend themselves against CSRF. Ok - hold up... a 'strict' proxy which is stripping all but trusted headers is going to pass the Origin header, why? If you can't fix the bug in the proxies, adding another header for them to ignore is not a solution. Agreed this is a problem, but not one to be resolved by adding more datum to be eliminated. They only have RFC2616 to strip hop-by-hop headers, so I would study this problem set from the scope of non-compliant proxies and explain to that group (through a best practices RFC or direct bug report) why this is harmful.
Received on Friday, 23 January 2009 01:58:49 UTC