W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: (wrong string) ⅔ Steve McKay <smckay@google.com>
Date: Mon, 27 Aug 2012 15:30:47 -0700
Message-ID: <CAMrnEYMaiLtLNWYCKHSnSbpWeFXOcoTPbuF19miR3q43POi5hw@mail.gmail.com>
To: Greg Billock <gbillock@google.com>
Cc: Conrad Irwin <conrad.irwin@gmail.com>, KOMATSU Kensaku <kensaku.komatsu@gmail.com>, "SULLIVAN, BRYAN L" <bs3131@att.com>, James Hawkins <jhawkins@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
Wouldn't the client want some knowledge of which service it is disclosing
the origin to? Given that the service is decoupled from the client maybe we
would want a more subtle policy such as:

send_origin="NEVER (implicit), ALWAYS, SAME_ORIGIN"

Steve McKay | Sr. Software Engineer | smckay@google.com | 310-359-8331




On Mon, Aug 27, 2012 at 2:47 PM, Greg Billock <gbillock@google.com> wrote:

>
> If the client doesn't want to disclose the origin, attaching it always
> might be a privacy concern. "UseOrigin: true" is nice -- then the
> browser fills in the right origin for the service. That lets the
> service know that the client is purposefully disclosing the origin,
> and that the value received is from the UA.
>
> Obviously the service can be loaded by a malicious UA, so it will need
> to maintain its own security based on other content in the message
> anyway.
>
>
> On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com>
> wrote:
> > On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
> > <kensaku.komatsu@gmail.com> wrote:
> >> Yep, most of modern browsers such as IE, chrome, safari and opera are
> >> trusted and sends right origin to intent services. But there are other
> clients
> >> their behavior is not trusted. So, I guess James pointed that origin
> info
> >> from clients is not always trusted.
> >
> > Just like the Origin: HTTP header, the only guarantee you get is that
> > "this user trusts the browser to send the correct Origin header".It
> > doesn't protect you from malicious users, but it does allow you to
> > protect clumsy users who might be fooled into clicking an intent on a
> > malicious website.
> >
> > Conrad
>
>
Received on Monday, 27 August 2012 22:31:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC