W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Thu, 09 Apr 2009 10:48:20 -0500
Message-ID: <49DE18C4.8080101@corry.biz>
To: Ian Hickson <ian@hixie.ch>
CC: public-webapps@w3.org
Ian Hickson wrote on 4/9/2009 1:42 AM: 
> On Thu, 9 Apr 2009, Bil Corry wrote:
>> For example, imagine instead you visit a malicious site, and it wants to 
>> phish your banking credentials.  But rather than choosing a random bank 
>> and hoping you bank there, it instead launches a series of timing 
>> attacks against the top 30 banks, determines which bank(s) you're logged 
>> into, then tries phishing against the one you're logged into.  
>> CORS-Origin can't help, but a robust Origin could.
> 
> You could just do a timing attack against non-login-protected assets that 
> are only shown while logged in, or even just do timing attacks against any 
> cached resource from the site, to see if they visited it. Or heck, you 
> could just do a regular :visited history probing attack to see which site 
> they visited. If we wanted to protect against timing attacks like this 
> I think we would need to just have the browser itself ensure all network 
> traffic has unpredictable timing (and remove the visited URLs features).

My point is that a robust Origin moves us closer to better security controls, perhaps not all the way, but certainly much closer than CORS-Origin gets us.


- Bil
Received on Thursday, 9 April 2009 15:49:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT