W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 24 Jan 2009 17:44:50 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: ietf-http-wg@w3.org
Message-ID: <urfmn4pmns95vqao4rs3td3mi4mtqei3k9@hive.bjoern.hoehrmann.de>

* Adam Barth wrote:
>I was trying to make the point that Web sites cannot rely on the
>Referer header to build a CSRF defense.

I believe that point is somewhere between misleading and incorrect, but
for the sake of argument let me make this point instead: Web sites can-
not rely on the Origin header to build a CSRF defense. Now I'd like to
know how your point can reasonably believed to be correct, but my point
reasonably believed to be incorrect, at some point within the next seven
years. Or, if you agree with my point, why you raise this point here.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 24 January 2009 16:45:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT