W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 8 Apr 2009 21:23:11 -0700
Message-ID: <7789133a0904082123g27436bcy541ed46f421b3858@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>, Brandon Sterne <bsterne@mozilla.com> 
On Wed, Apr 8, 2009 at 1:32 PM, Bil Corry <bil@corry.biz> wrote:
> BTW, one reason to do this is to help deter timing attacks.  Any request that arrives for the login page or a protected page that isn't same-origin can be redirected to a common landing page.

This doesn't make much sense.  People mount timing attacks against the
login from from their own machine (where they can send whatever
headers they like).

Adam
Received on Thursday, 9 April 2009 04:24:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:10 GMT