W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 26 Jan 2009 12:51:31 +1300
Message-ID: <497CFB03.8090007@qbik.com>
To: Adam Barth <w3c@adambarth.com>
CC: Mark Nottingham <mnot@mnot.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>

Adam Barth wrote:
> The Origin header is incrementally useful as a CSRF defense.  Users
> with supporting user agents will benefit.  Users without supporting
> user agents will be no worse off than they are today.  This is
> different than the situation we are in today because sites must
> engineer complex CSRF defense to help any of their users.  The Origin
> header lets sits protect some of their users with minimal effort.

My question then is should we be pouring effort into a solution that is 
only incrementally useful.

A a site operator myself, I'm not particularly interested in very easily 
being able to protect a very small number of users.  We need to protect 
ALL our users.

If this means we have to go to some secure token-based approach, then 
why bother with anything else as well?

As long as there is an appreciable proportion of our user-base using a 
browser that doesn't support Origin, we will need to cater to them.  By 
your argument, a show-stopper proportion is at least 3% or less.

It just seems to make the Origin header a bit redundant.

Also, without any sort of decent crypto involved, any reliance on 
client-supplied data for real security seems destined to fail. 

Even if you could get the major browsers to support it, getting servers 
to support it would be several orders of magnitude more difficult.  For 
many sites it would require patching scripts.. lots of them.  Why would 
I go to all the effort to patch all our scripts to check Origin to only 
protect a vanishingly-small-maybe-growing-but-never-enough proportion of 
my users when I could get them all with a decent system?



> Adam

Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Sunday, 25 January 2009 23:49:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC