W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Apr 2009 09:54:11 -0700
Message-ID: <7789133a0904070954o20e26a40q14ace19c51c94890@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com> 
On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry <bil@corry.biz> wrote:
> Can we please include the Origin header for all same-origin requests, including GET and HEAD?  Or is there a compelling reason why not do to so?
>
> Also, would there be value in having Origin sent for *all* requests, and if populating Origin is prohibited for that request (e.g. cross-origin GET), it sends "null" as the value?


In order to make the Origin header a workable CSRF defense for GET,
we'd have to send "null" on cross-origin GET requests (otherwise the
attacker can suppress the header by making a GET request from another
origin).  However, this is inconsistent with CORS.

Adam
Received on Tuesday, 7 April 2009 16:55:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:10 GMT