W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Emilio Casbas <ecasbas@s21sec.com>
Date: Tue, 27 Jan 2009 01:36:25 +0100
Message-ID: <497E5709.2050608@s21sec.com>
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Broyer <t.broyer@gmail.com>, ietf-http-wg@w3.org
Adam Barth escribió:
> On Mon, Jan 26, 2009 at 2:00 AM, Thomas Broyer <t.broyer@gmail.com> wrote:
>   
>> What if the UA discard the Origin value (i.e. use "null" or some other
>> value) when crossing "zone" boundaries?
>>     
>
> That's an interesting idea.  I'm not sure we have the notion of a
> "zone" available to us at this level of abstraction.  Internet
> Explorer certainly has that concept, but I'm not sure other browsers
> do.
>   

It seems not.
http://code.google.com/p/browsersec/wiki/Part3#Microsoft_Internet_Explorer_zone_model

>   
>> When an Intranet web page issues a request to an Internet resource,
>> then the UA SHOULD send "Origin: null" instead of "Origin:
>> http://<intranet-server>".
>>     
>
> We could recommend this in the non-normative privacy considerations
> section.  It's certainly permitted by the current draft.
>   

If the Origin header is sent only for POST requests, the probability for
intranet leakage information
is almost null in examples like previously cited.

Regards
Emilio


Received on Tuesday, 27 January 2009 00:38:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT