W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 26 Jan 2009 18:37:34 -0800
Message-ID: <7789133a0901261837n6fb3d75bub4882d40c331ed42@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Mark Nottingham <mnot@mnot.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>

On Mon, Jan 26, 2009 at 5:34 PM, Adrien de Croy <adrien@qbik.com> wrote:
> Adam Barth wrote:
>> It is impossible to secure all the users who visit your Web site.  You
>> cannot secure users with IE5 or Firefox 1.0, for example.  Moreover,
>> the header provides incremental value while it is being deployed.
>
> Do you have any more information on this you could refer me to?  I find it
> hard to believe that there can be no security scheme which would be
> browser-independent.

These browsers are no longer maintained by their vendors.  Whenever
you see a vulnerability patched for IE7 or Firefox 3, there is a good
chance that vulnerability also exists in IE5 or Firefox 1.0.  In the
context of this discussion, that means the "secret" tokens you rely
upon for CSRF protection are not secret, and the attacker is free to
mount a CSRF attack against your site.

Adam
Received on Tuesday, 27 January 2009 02:38:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT