W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 23 Jan 2009 10:26:37 +0000 (UTC)
To: Daniel Stenberg <daniel@haxx.se>
Cc: ietf-http-wg@w3.org
Message-ID: <Pine.LNX.4.62.0901231024180.11411@hixie.dreamhostps.com>

On Fri, 23 Jan 2009, Daniel Stenberg wrote:
> 
> Further, the argument:
> 
> > the employee will not leak any information in the Origin header 
> > because it is not sent for GET requests.
> 
> ... will thus break when that same intranet has a 'search the with 
> loogle' field that sends a POST to the external site?

Search is usually done with GET, but even if it was, leaking a hostname 
isn't a big deal -- it's unlikely that confidential information will be in 
a hostname. (This is one reason why the Origin header doesn't include the 
path information.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 23 January 2009 10:27:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT