W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Wed, 08 Apr 2009 15:32:01 -0500
Message-ID: <49DD09C1.7010108@corry.biz>
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
Adam Barth wrote on 4/7/2009 11:54 AM: 
> On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry <bil@corry.biz> wrote:
>> Can we please include the Origin header for all same-origin requests, including GET and HEAD?  Or is there a compelling reason why not do to so?

BTW, one reason to do this is to help deter timing attacks.  Any request that arrives for the login page or a protected page that isn't same-origin can be redirected to a common landing page.


>> Also, would there be value in having Origin sent for *all* requests, and if populating Origin is prohibited for that request (e.g. cross-origin GET), it sends "null" as the value?
> 
> In order to make the Origin header a workable CSRF defense for GET,
> we'd have to send "null" on cross-origin GET requests (otherwise the
> attacker can suppress the header by making a GET request from another
> origin).  However, this is inconsistent with CORS.

If a header similar to Mozilla's Origin were to be adopted by the major UAs, then as a webapp developer, I would never again look at Origin.  Especially if the new header was sent with *all* requests (NULL where appropriate), included the redirect hosts, and was populated for same-origin requests.  It would, in effect, render Origin obsolete.


- Bil
Received on Wednesday, 8 April 2009 20:32:52 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT