W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 06 Apr 2009 13:34:23 -0700
Message-ID: <49DA674F.1070700@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>
I'm adding Sid, who has been editing the document:

As is mentioned in the first section of that document, the name of the
proposed header is subject to change.


On 4/6/09 1:04 PM, Adam Barth wrote:
> On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote:
>> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and
>> send them here first?  I'm having a sense that much of what's needed right
>> now is for somebody to ask the right questions.
> I'll let someone from Mozilla fill in the details, but the general
> idea is twofold:
> 1) Enable CSRF mitigation for GET requests.
> 2) Providing additional information in the header to help mitigate
> ClickJacking as well.
> To achieve (1), the Mozilla proposal sends the header (let's call it
> Blame-List for easy of discussion) for some GET requests, depending on
> how the requests were generated.  For example, a hyperlink or an image
> would not send Blame-List, but a form submission would.
> To achieve (2), the Blame-List contains not only the origin that
> initiated the request, but also the origin of all the ancestor frames.
>  For example, if attacker.com created an iframe to example.com, and
> the user clicked on the "buy" button inside of the example.com iframe,
> the header would look something like this:
> Blame-List: http://example.com http://attacker.com
> I believe Mozilla has fleshed out the details in a document somewhere.
> Adam
Received on Monday, 6 April 2009 20:34:59 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:34 UTC