W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 30 Jan 2009 14:19:36 +0100
Message-ID: <a9699fd20901300519s7cb3eb63w8e325527d7da322a@mail.gmail.com>
To: ietf-http-wg@w3.org

On Fri, Jan 30, 2009 at 9:23 AM, Mark Nottingham wrote:
>
> On 25/01/2009, at 10:16 AM, Adam Barth wrote:
>>
>> The essential point which you are misunderstanding is this:
>>
>> 1) The attacker can force a user agent to suppress the Referer header,
>> mimicking a user behind a Referer-stripping proxy.
>
> Can you walk us through this attack, please? Or give a reference...

http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
Page 6: "Case Study: Facebook" contains an example; though I suspect
other ways of suppressing the Referer.

-- 
Thomas Broyer
Received on Friday, 30 January 2009 13:20:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT