Wouldn't the client want some knowledge of which service it is disclosing the origin to? Given that the service is decoupled from the client maybe we would want a more subtle policy such as: send_origin="NEVER (implicit), ALWAYS, SAME_ORIGIN" Steve McKay | Sr. Software Engineer | smckay@google.com | 310-359-8331 On Mon, Aug 27, 2012 at 2:47 PM, Greg Billock <gbillock@google.com> wrote: > > If the client doesn't want to disclose the origin, attaching it always > might be a privacy concern. "UseOrigin: true" is nice -- then the > browser fills in the right origin for the service. That lets the > service know that the client is purposefully disclosing the origin, > and that the value received is from the UA. > > Obviously the service can be loaded by a malicious UA, so it will need > to maintain its own security based on other content in the message > anyway. > > > On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com> > wrote: > > On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku > > <kensaku.komatsu@gmail.com> wrote: > >> Yep, most of modern browsers such as IE, chrome, safari and opera are > >> trusted and sends right origin to intent services. But there are other > clients > >> their behavior is not trusted. So, I guess James pointed that origin > info > >> from clients is not always trusted. > > > > Just like the Origin: HTTP header, the only guarantee you get is that > > "this user trusts the browser to send the correct Origin header".It > > doesn't protect you from malicious users, but it does allow you to > > protect clumsy users who might be fooled into clicking an intent on a > > malicious website. > > > > Conrad > >
Received on Monday, 27 August 2012 22:31:14 UTC