Redirect and Origin

The Origin I-D says the following about redirects:

"""
If a user agent issues an HTTP request in reaction to an HTTP
   redirect, the Origin header MUST contain the same value as the Origin
   header in the HTTP request that generated the redirect.
"""

So if a page from Victim origin sends a request to Attacker origin
which is redirected to a URL at Victim origin, the server at Victim
origin receives a request with user credentials for Victim origin and
an Origin header value for Victim origin. The Origin I-D says: "don't
do that" at the end of section 6; meaning there's no way to send a
request to another origin unless you have complete trust for it. That
seems rather restrictive. Is there really no way to send a request to
another origin without being vulnerable? Wasn't that the whole point
of creating a mechanism to replace JSON-P?

--Tyler

Received on Tuesday, 9 June 2009 20:48:09 UTC