W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Origin

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 25 May 2008 14:36:48 -0700
Message-ID: <4839DBF0.2020709@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Adam Barth <public-webapi@adambarth.com>, Collin Jackson <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>

Anne van Kesteren wrote:
> 
> On Sat, 24 May 2008 10:32:03 +0200, Anne van Kesteren <annevk@opera.com> 
> wrote:
>> On Tue, 13 May 2008 07:42:59 +0200, Adam Barth 
>> <public-webapi@adambarth.com> wrote:
>>> One option is to rename the header "Sec-Origin", which is already
>>> blocked in XHR Level 1.
>>
>> True, but I think Access-Control-Origin is better as it more clearly 
>> indicates what it is related to. And since we can safely do it given 
>> that cross-site requests won't work for XMLHttpRequest until Access 
>> Control is implemented I think it's acceptable.
> 
> It has been suggested that having an "Origin" header instead of 
> "Access-Control-Origin" would be useful in other contexts as well. That 
> browsers could always include this as it does not have the privacy issue 
> the "Referer" header has (does not include the path) and could therefore 
> be used for Access Control but also to prevent CSRF.
> 
> I'm not really sure whether that is a good idea, but you (Adam) and 
> Collin can hopefully weigh in on that. :-)

A similar idea came up when this header was named 'Referer-Root'. 
However it was suggested to name the header 'Access-Control-Origin' to 
allow servers to easily block all cross-site requests that were done 
based on the Access-Control spec.

If the header is simply named 'Origin' (or 'Referer-Root') then blocking 
any requests that include that header would also block for example 
cross-site image requests or cross-site POSTs.

This can be both good and bad. The good part is that it gives sites a 
tool to easily block all third-party requests. The bad part is that it 
makes it harder to just block the most dangerous ones, i.e. ones where 
the requesting site can read the response.

I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec 
seems useful, but I suspect it would be better done as a separate spec.

/ Jonas
Received on Sunday, 25 May 2008 21:38:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 25 May 2008 21:38:17 GMT