W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 26 Jan 2009 18:47:25 -0800
Message-ID: <7789133a0901261847wa1a2a74q22d6f8a61d7c3ea6@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: ietf-http-wg@w3.org

On Mon, Jan 26, 2009 at 6:46 PM, Adrien de Croy <adrien@qbik.com> wrote:
>>> Adam Barth wrote:
>>>> It is impossible to secure all the users who visit your Web site.  You
>>>> cannot secure users with IE5 or Firefox 1.0, for example.

[snip]

> I was referring to a secure system that does not rely on secrecy, since we
> all know that secrecy is not security.
>
> E.g. some sort of random token + hashing, where you pass a token to the
> browser, it does something to it (e.g. in script), and passes the result
> back.
>
> one that can't be forged, and can't be replayed

These browsers are unable to distinguish "your site" from "the
attacker's site."  Anything that your site can do, the attacker can do
on behalf of your site.  It's as if your site has an XSS vulnerability
that you cannot patch.

Adam
Received on Tuesday, 27 January 2009 02:47:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT