Re: The HTTP Origin Header (draft-abarth-origin) from Emilio Casbas on 2009-01-27 (ietf-http-wg@w3.org from January to March 2009)

From: Emilio Casbas <ecasbas@s21sec.com>
Date: Tue, 27 Jan 2009 01:36:25 +0100
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Broyer <t.broyer@gmail.com>, ietf-http-wg@w3.org
Message-ID: <497E5709.2050608@s21sec.com>

Adam Barth escribió:
> On Mon, Jan 26, 2009 at 2:00 AM, Thomas Broyer <t.broyer@gmail.com> wrote:
>   
>> What if the UA discard the Origin value (i.e. use "null" or some other
>> value) when crossing "zone" boundaries?
>>     
>
> That's an interesting idea.  I'm not sure we have the notion of a
> "zone" available to us at this level of abstraction.  Internet
> Explorer certainly has that concept, but I'm not sure other browsers
> do.
>   

It seems not.
http://code.google.com/p/browsersec/wiki/Part3#Microsoft_Internet_Explorer_zone_model

>   
>> When an Intranet web page issues a request to an Internet resource,
>> then the UA SHOULD send "Origin: null" instead of "Origin:
>> http://<intranet-server>".
>>     
>
> We could recommend this in the non-normative privacy considerations
> section.  It's certainly permitted by the current draft.
>   

If the Origin header is sent only for POST requests, the probability for
intranet leakage information
is almost null in examples like previously cited.

Regards
Emilio

Received on Tuesday, 27 January 2009 00:38:01 UTC