W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: Greg Billock <gbillock@google.com>
Date: Mon, 27 Aug 2012 14:47:51 -0700
Message-ID: <CAAxVY9cKhsiyWNc3uVGhf1Svi8vSDK-BxBYJjzPhLq63v59Ymw@mail.gmail.com>
To: Conrad Irwin <conrad.irwin@gmail.com>
Cc: KOMATSU Kensaku <kensaku.komatsu@gmail.com>, "SULLIVAN, BRYAN L" <bs3131@att.com>, James Hawkins <jhawkins@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
If the client doesn't want to disclose the origin, attaching it always
might be a privacy concern. "UseOrigin: true" is nice -- then the
browser fills in the right origin for the service. That lets the
service know that the client is purposefully disclosing the origin,
and that the value received is from the UA.

Obviously the service can be loaded by a malicious UA, so it will need
to maintain its own security based on other content in the message
anyway.


On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com> wrote:
> On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
> <kensaku.komatsu@gmail.com> wrote:
>> Yep, most of modern browsers such as IE, chrome, safari and opera are
>> trusted and sends right origin to intent services. But there are other clients
>> their behavior is not trusted. So, I guess James pointed that origin info
>> from clients is not always trusted.
>
> Just like the Origin: HTTP header, the only guarantee you get is that
> "this user trusts the browser to send the correct Origin header".It
> doesn't protect you from malicious users, but it does allow you to
> protect clumsy users who might be fooled into clicking an intent on a
> malicious website.
>
> Conrad
Received on Monday, 27 August 2012 21:48:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC