W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Redirect and Origin

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 9 Jun 2009 13:47:32 -0700
Message-ID: <5691356f0906091347t43f896a9jb78b45976a1184c0@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
The Origin I-D says the following about redirects:

"""
If a user agent issues an HTTP request in reaction to an HTTP
   redirect, the Origin header MUST contain the same value as the Origin
   header in the HTTP request that generated the redirect.
"""

So if a page from Victim origin sends a request to Attacker origin
which is redirected to a URL at Victim origin, the server at Victim
origin receives a request with user credentials for Victim origin and
an Origin header value for Victim origin. The Origin I-D says: "don't
do that" at the end of section 6; meaning there's no way to send a
request to another origin unless you have complete trust for it. That
seems rather restrictive. Is there really no way to send a request to
another origin without being vulnerable? Wasn't that the whole point
of creating a mechanism to replace JSON-P?

--Tyler
Received on Tuesday, 9 June 2009 20:48:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT