Re: Passing "origin" with intents from Conrad Irwin on 2012-08-27 (public-web-intents@w3.org from August 2012)

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 27 Aug 2012 13:15:19 -0700
To: KOMATSU Kensaku <kensaku.komatsu@gmail.com>
Cc: "SULLIVAN, BRYAN L" <bs3131@att.com>, James Hawkins <jhawkins@google.com>, Greg Billock <gbillock@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
Message-ID: <CAOTq_pt1xpSVbO1dzzykTzb=6EWJ0sSyLvr2oAmjLZ_Rj730LQ@mail.gmail.com>

On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
<kensaku.komatsu@gmail.com> wrote:
> Yep, most of modern browsers such as IE, chrome, safari and opera are
> trusted and sends right origin to intent services. But there are other clients
> their behavior is not trusted. So, I guess James pointed that origin info
> from clients is not always trusted.

Just like the Origin: HTTP header, the only guarantee you get is that
"this user trusts the browser to send the correct Origin header".It
doesn't protect you from malicious users, but it does allow you to
protect clumsy users who might be fooled into clicking an intent on a
malicious website.

Conrad

Received on Monday, 27 August 2012 20:16:06 UTC