W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Origin (was: Re: XHR LC Draft Feedback)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 22 Jun 2008 03:51:57 +0200
To: "Collin Jackson" <w3c@collinjackson.com>
Cc: "Adam Barth" <public-webapi@adambarth.com>, public-webapps@w3.org
Message-ID: <ia5r541g3l9if3fbv0ifj10hlv65p3heho@hive.bjoern.hoehrmann.de>

* Collin Jackson wrote:
>The advantage of the Origin header is that it provides sites with
>functionality that can't already be emulated with XMLHttpRequest: it
>allows them to distinguish trusted (sub)domains from completely
>untrusted domains.

The stated goal was to balance easy protection against session riding
attacks without compromising privacy too much. Allowing session riding
via some sites but not others is something that cannot be done securely
today without major effort as whatever information is used to tell good
requests apart from bad requests may either be absent or faked. That'll
remain so until any browser that does not set the header can be blocked.

I would hope that at that point, other means of cross site and document
communication are more attractive to developers than what is currently
not affected by same-origin restrictions, and hope that new ways of by-
passing the same-origin restrictions will not rely on the Origin header
alone, so I don't think there is any real advantage. Perhaps I'm missing
something? I'm ignoring that the "AC" draft now also has a header named
"Origin" as that is a more recent development.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 22 June 2008 01:52:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT