Re: The HTTP Origin Header (draft-abarth-origin) from Adrien de Croy on 2009-01-23 (ietf-http-wg@w3.org from January to March 2009)

From: Adrien de Croy <adrien@qbik.com>
Date: Fri, 23 Jan 2009 16:14:53 +1300
To: Adam Barth <w3c@adambarth.com>
CC: "William A. Rowe, Jr." <wrowe@rowe-clan.net>, "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Message-ID: <4979362D.4040905@qbik.com>

was there any trend you were able to recognise from the 3% of stripped 
requests?  e.g were any investigated to see if there was a common theme 
regards which model of proxy they may have been going through?

I would have thought that if a system admin decided to strip referer for 
privacy reasons, then they may also decide (whether in ignorance or not) 
to strip the Origin header as well.

Also I presume this scenario is coupled with a requirement for browsers 
to make it impossible for a script to touch the Origin header?

Adrien


Adam Barth wrote:
> On Thu, Jan 22, 2009 at 5:58 PM, William A. Rowe, Jr.
> <wrowe@rowe-clan.net> wrote:
>   
>> Adam Barth wrote:
>>     
>>> The problematic case is when the Referer header is suppressed by the
>>> network (e.g., proxies).  In this case, the Referer header is
>>> suppressed regardless of its value.  Choosing a different value will
>>> not help Web sites defend themselves against CSRF.
>>>       
>> Ok - hold up... a 'strict' proxy which is stripping all but trusted
>> headers is going to pass the Origin header, why?
>>     
>
> According to my experiments, this is not how proxies function.
> Instead, proxies strip headers on a blacklist of headers.  A user
> behind a hypothetical "strict" proxy you describe would be unable to
> use many existing Web sites because those sites require custom
> headers, such as X-JSON, to function properly.
>
>   
>> If you can't fix the bug in the proxies, adding another header for
>> them to ignore is not a solution.
>>     
>
> In fact, the vast majority of proxies leave the Origin header
> unmolested and so do not do not require modification.
>
>   
>> They only
>> have RFC2616 to strip hop-by-hop headers, so I would study this
>> problem set from the scope of non-compliant proxies and explain
>> to that group (through a best practices RFC or direct bug report)
>> why this is harmful.
>>     
>
> I suspect the operators of these proxies will ignore such efforts
> because they have business reasons for stripping the Referer header.
> For example, it is common in enterprise configurations to strip the
> Referer header to prevent intranet URLs from leaking to Internet Web
> sites.
>
> Adam
>
>   

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Friday, 23 January 2009 03:12:49 UTC