W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bil Corry <bil@corry.biz>
Date: Sat, 24 Jan 2009 08:29:07 -0600
Message-ID: <497B25B3.1000903@corry.biz>
To: ietf-http-wg@w3.org

Robert Sayre wrote on 1/24/2009 6:22 AM: 
> Information on the quantity would be nice to have, but I don't think a
> new CSRF mitigation technique should introduce a privacy leak,
> especially when it looks like there might be a way to avoid it that
> you haven't explored.

The most common use-case for the Origin header is to confirm the request originated from the same host (which is what the "secret token" defense is used for).

One way to avoid privacy issues entirely would be to only send the Origin header when the request is going back to the same host; that still allows a site to avoid CSRF for the most common use-case and the eliminates the privacy issues.  In fact, when done this way, the Origin header can be included for all requests, including GET.  For sites that mis-implement GET, this is probably a more attractive solution anyhow.


- Bil
Received on Saturday, 24 January 2009 14:29:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT