W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 04 Dec 2009 10:00:45 -0800
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-id: <BBD3624F-1CAD-46AC-B78A-383D8DA05F24@apple.com>
To: Mary Ellen Zurko <mzurko@us.ibm.com>

On Dec 4, 2009, at 7:36 AM, Mary Ellen Zurko wrote:

> > The Origin header as used in HTML5 is at best tangentially related  
> to
> > the same-origin policy. It does depend on the origin notion, but it
> > has a different purpose. Same-origin is about preventing Cross-Site
> > Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps  
> to
> > mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin  
> policy
> > is about preventing actions on the client side. Origin is about
> > labeling requests to allow the server to optionally use that
> > information.
>
> Not to be a total pedant, but since this is an issue near and dear  
> to my heart...
>
> same-origin is about mitigating XSS, not preventing it, right? Since  
> in web apps that allow users to collaborate with content that might  
> include (D)HTML, same-origin is of no help at all. right?

There's really several kinds of XSS:

1) reflective XSS - site incorporates part of the request (usually the  
URL) in the response without sufficient escaping, allowing script  
injection from an attacker
2) persistent XSS - site persistently stores data from an attacker  
(for example, user-generated content is posted to a social network  
page or blog comment field) and then includes it in served content,  
without sufficient checks or escaping to prevent script, allowing  
script injection from an attacker
3) direct XSS - script from site A running in the browser directly  
accesses the DOM for content from site B

Same-origin policy is intended to prevent the third kind and does not  
address the first two kinds at all. If browsers did not have the same- 
origin policy for scripting, then it would be very difficult, perhaps  
impossible, for sites to prevent type 3.

Regards,
Maciej
Received on Friday, 4 December 2009 18:01:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT