W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 06 Apr 2009 13:34:23 -0700
Message-ID: <49DA674F.1070700@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>
I'm adding Sid, who has been editing the document:
https://wiki.mozilla.org/Security/Origin

As is mentioned in the first section of that document, the name of the
proposed header is subject to change.

Thanks,
Brandon


On 4/6/09 1:04 PM, Adam Barth wrote:
> On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote:
>> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and
>> send them here first?  I'm having a sense that much of what's needed right
>> now is for somebody to ask the right questions.
> 
> I'll let someone from Mozilla fill in the details, but the general
> idea is twofold:
> 
> 1) Enable CSRF mitigation for GET requests.
> 
> 2) Providing additional information in the header to help mitigate
> ClickJacking as well.
> 
> To achieve (1), the Mozilla proposal sends the header (let's call it
> Blame-List for easy of discussion) for some GET requests, depending on
> how the requests were generated.  For example, a hyperlink or an image
> would not send Blame-List, but a form submission would.
> 
> To achieve (2), the Blame-List contains not only the origin that
> initiated the request, but also the origin of all the ancestor frames.
>  For example, if attacker.com created an iframe to example.com, and
> the user clicked on the "buy" button inside of the example.com iframe,
> the header would look something like this:
> 
> Blame-List: http://example.com http://attacker.com
> 
> I believe Mozilla has fleshed out the details in a document somewhere.
> 
> Adam
> 
Received on Monday, 6 April 2009 20:34:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT