W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Origin (was: Re: XHR LC Draft Feedback)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 21 Jun 2008 23:57:29 +0200
To: "Adam Barth" <public-webapi@adambarth.com>
Cc: "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>, public-webapps@w3.org
Message-ID: <8jtq54ta1hh34p3cepdu7eeiuje64fkqfn@hive.bjoern.hoehrmann.de>

* Adam Barth wrote:
>We suggest that user agents attach an Origin header to POST requests.
>This balances the security benefits of easy CSRF protection with the
>privacy costs.  If user agents attached this header, sites could
>protect themselves from CSRF by (2) undertaking state-modify actions
>only in response to POST requests and (2) implementing the below web
>application firewall rule (e.g., ModSecurity rule):

Isn't that balance a little bit odd? You can virtually eliminate the
privacy concerns simply by saying no more than "This request has been
initiated from a site different from the one mentioned in the Host
header", say, `Pragma: cross-site`, without losing much flexibility.
The scan for "pragma contains 'cross-site'" is also easier to set up.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 21 June 2008 21:58:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT