W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 27 Aug 2012 13:15:19 -0700
Message-ID: <CAOTq_pt1xpSVbO1dzzykTzb=6EWJ0sSyLvr2oAmjLZ_Rj730LQ@mail.gmail.com>
To: KOMATSU Kensaku <kensaku.komatsu@gmail.com>
Cc: "SULLIVAN, BRYAN L" <bs3131@att.com>, James Hawkins <jhawkins@google.com>, Greg Billock <gbillock@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
<kensaku.komatsu@gmail.com> wrote:
> Yep, most of modern browsers such as IE, chrome, safari and opera are
> trusted and sends right origin to intent services. But there are other clients
> their behavior is not trusted. So, I guess James pointed that origin info
> from clients is not always trusted.

Just like the Origin: HTTP header, the only guarantee you get is that
"this user trusts the browser to send the correct Origin header".It
doesn't protect you from malicious users, but it does allow you to
protect clumsy users who might be fooled into clicking an intent on a
malicious website.

Conrad
Received on Monday, 27 August 2012 20:16:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC