- From: Greg Billock <gbillock@google.com>
- Date: Mon, 27 Aug 2012 14:47:51 -0700
- To: Conrad Irwin <conrad.irwin@gmail.com>
- Cc: KOMATSU Kensaku <kensaku.komatsu@gmail.com>, "SULLIVAN, BRYAN L" <bs3131@att.com>, James Hawkins <jhawkins@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
If the client doesn't want to disclose the origin, attaching it always might be a privacy concern. "UseOrigin: true" is nice -- then the browser fills in the right origin for the service. That lets the service know that the client is purposefully disclosing the origin, and that the value received is from the UA. Obviously the service can be loaded by a malicious UA, so it will need to maintain its own security based on other content in the message anyway. On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com> wrote: > On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku > <kensaku.komatsu@gmail.com> wrote: >> Yep, most of modern browsers such as IE, chrome, safari and opera are >> trusted and sends right origin to intent services. But there are other clients >> their behavior is not trusted. So, I guess James pointed that origin info >> from clients is not always trusted. > > Just like the Origin: HTTP header, the only guarantee you get is that > "this user trusts the browser to send the correct Origin header".It > doesn't protect you from malicious users, but it does allow you to > protect clumsy users who might be fooled into clicking an intent on a > malicious website. > > Conrad
Received on Monday, 27 August 2012 21:48:19 UTC