W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Jan 2009 10:02:11 -0800
Message-ID: <7789133a0901241002i422bf7d9o812c9b0fcb4da022@mail.gmail.com>
To: Robert Sayre <sayrer@gmail.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

On Sat, Jan 24, 2009 at 4:22 AM, Robert Sayre <sayrer@gmail.com> wrote:
> Sorry, of course. Let's substitute a JS-triggered form post, or even
> just a click on something that looks like link but it is an image form
> button, and continue productive discussion.

Of course there is no way for the user to determine whether an
intranet site is leaking its host name to the Internet, but a site
that wants to leaks its host name doesn't need the Origin header to do
this.  The vast majority of intranet-to-Internet network requests are
generated from hyperlinks.  Do you have examples of intranet sites
with sensitive host names that POST to untrusted Internet sites?

Without even anecdotal evidence that this occurs, this privacy leak
seems theoretical.  (Of course, I'd prefer hard data to anecdotes.)

> Information on the quantity would be nice to have, but I don't think a
> new CSRF mitigation technique should introduce a privacy leak,
> especially when it looks like there might be a way to avoid it that
> you haven't explored.

I welcome suggestions for a solution that address the same use cases
with further privacy protections.

Adam
Received on Saturday, 24 January 2009 18:02:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT