W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 6 Apr 2009 13:04:16 -0700
Message-ID: <7789133a0904061304h1f4b909fj58eb4035b41773f8@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote:
> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and
> send them here first?  I'm having a sense that much of what's needed right
> now is for somebody to ask the right questions.

I'll let someone from Mozilla fill in the details, but the general
idea is twofold:

1) Enable CSRF mitigation for GET requests.

2) Providing additional information in the header to help mitigate
ClickJacking as well.

To achieve (1), the Mozilla proposal sends the header (let's call it
Blame-List for easy of discussion) for some GET requests, depending on
how the requests were generated.  For example, a hyperlink or an image
would not send Blame-List, but a form submission would.

To achieve (2), the Blame-List contains not only the origin that
initiated the request, but also the origin of all the ancestor frames.
 For example, if attacker.com created an iframe to example.com, and
the user clicked on the "buy" button inside of the example.com iframe,
the header would look something like this:

Blame-List: http://example.com http://attacker.com

I believe Mozilla has fleshed out the details in a document somewhere.

Adam
Received on Monday, 6 April 2009 20:05:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT