W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Thu, 22 Jan 2009 19:58:04 -0600
Message-ID: <4979242C.1020806@rowe-clan.net>
To: Adam Barth <w3c@adambarth.com>
CC: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>

Adam Barth wrote:
> On Thu, Jan 22, 2009 at 4:41 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> I don't understand -- the only case that would be affected
>> is the one wherein no Referer is sent today.
> 
> The problematic case is when the Referer header is suppressed by the
> network (e.g., proxies).  In this case, the Referer header is
> suppressed regardless of its value.  Choosing a different value will
> not help Web sites defend themselves against CSRF.

Ok - hold up... a 'strict' proxy which is stripping all but trusted
headers is going to pass the Origin header, why?

If you can't fix the bug in the proxies, adding another header for
them to ignore is not a solution.  Agreed this is a problem, but not
one to be resolved by adding more datum to be eliminated.  They only
have RFC2616 to strip hop-by-hop headers, so I would study this
problem set from the scope of non-compliant proxies and explain
to that group (through a best practices RFC or direct bug report)
why this is harmful.
Received on Friday, 23 January 2009 01:58:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT