On Fri, Jun 12, 2009 at 7:17 PM, Mark S. Miller<erights@google.com> wrote: > On Fri, Jun 12, 2009 at 7:03 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> > What server side behavior difference do you expect between messages with >> > no Origin and messages with "Origin: null". >> >> You'll have to include Origin: null for POST requests. You should >> include it for GET as well. > > Does "have to" == "MUST"? That's what's required (at the MUST level) by draft-abarth-origin. > On credential-free GET, why "should" rather than "MUST"? Because draft-abarth-origin doesn't require it at the MUST level. > Isn't your answer above only about client (user agent) behavior? I'd still > like understand what the recommended/expected difference in server behavior > should/might be depending of whether Origin is absent or null. Thanks. Suppose GuestXHR doesn't send an Origin header for any requests and a server uses the algorithm in draft-abarth-origin to mitigate CSRF attacks. Now, an attacker can mount a CSRF attack against the server. AdamReceived on Saturday, 13 June 2009 05:37:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:11 GMT