W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 8 Apr 2009 22:21:38 -0700
Message-ID: <7789133a0904082221n7488a259vf6b02e779f1e43fb@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>, Brandon Sterne <bsterne@mozilla.com> 
On Wed, Apr 8, 2009 at 10:09 PM, Bil Corry <bil@corry.biz> wrote:
> Using the above scenario, if Origin was populated and sent for all same-origin requests (including GET), the website could simply redirect any request for any protected resource that isn't same-origin.

Then no one could link to the site.  Virtually every site is going to
have some page that both wants to be world-linkable and has different
time characteristics for logged in / not logged in.  The Origin header
is useful for many things but not for defeating timing attacks.

Adam
Received on Thursday, 9 April 2009 05:37:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:10 GMT