- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 12 Jun 2009 22:36:11 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Fri, Jun 12, 2009 at 7:17 PM, Mark S. Miller<erights@google.com> wrote: > On Fri, Jun 12, 2009 at 7:03 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> > What server side behavior difference do you expect between messages with >> > no Origin and messages with "Origin: null". >> >> You'll have to include Origin: null for POST requests. You should >> include it for GET as well. > > Does "have to" == "MUST"? That's what's required (at the MUST level) by draft-abarth-origin. > On credential-free GET, why "should" rather than "MUST"? Because draft-abarth-origin doesn't require it at the MUST level. > Isn't your answer above only about client (user agent) behavior? I'd still > like understand what the recommended/expected difference in server behavior > should/might be depending of whether Origin is absent or null. Thanks. Suppose GuestXHR doesn't send an Origin header for any requests and a server uses the algorithm in draft-abarth-origin to mitigate CSRF attacks. Now, an attacker can mount a CSRF attack against the server. Adam
Received on Saturday, 13 June 2009 05:37:09 UTC