W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Jan 2009 10:10:51 -0800
Message-ID: <7789133a0901241010n574a64bfm2fef994892030fe7@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: ietf-http-wg@w3.org

On Sat, Jan 24, 2009 at 6:29 AM, Bil Corry <bil@corry.biz> wrote:
> The most common use-case for the Origin header is to confirm the request originated from the same host (which is what the "secret token" defense is used for).

The secret token defense is not limited to a single host name.

> One way to avoid privacy issues entirely would be to only send the Origin header when the request is going back to the same host; that still allows a site to avoid CSRF for the most common use-case and the eliminates the privacy issues.  In fact, when done this way, the Origin header can be included for all requests, including GET.  For sites that mis-implement GET, this is probably a more attractive solution anyhow.

This is an interesting suggestion and worthy of further thought.
Essentially, this version of the header would convey the same bits in
Rob's proposal but in an easier to understand form.  We should seek
feedback from Web site operators about whether they'd prefer the
Origin header for GET requests or for cross-host requests (with the
constraint that they can't have both for privacy reasons).

I've noted this proposal in the draft.

Thanks for your feedback,
Adam
Received on Saturday, 24 January 2009 18:11:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT