W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 22:36:11 -0700
Message-ID: <7789133a0906122236i361c3415w647ced7bfc93ac40@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Fri, Jun 12, 2009 at 7:17 PM, Mark S. Miller<erights@google.com> wrote:
> On Fri, Jun 12, 2009 at 7:03 PM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> > What server side behavior difference do you expect between messages with
>> > no Origin and messages with "Origin: null".
>>
>> You'll have to include Origin: null for POST requests.  You should
>> include it for GET as well.
>
> Does "have to" == "MUST"?

That's what's required (at the MUST level) by draft-abarth-origin.

> On credential-free GET, why "should" rather than "MUST"?

Because draft-abarth-origin doesn't require it at the MUST level.

> Isn't your answer above only about client (user agent) behavior? I'd still
> like understand what the recommended/expected difference in server behavior
> should/might be depending of whether Origin is absent or null. Thanks.

Suppose GuestXHR doesn't send an Origin header for any requests and a
server uses the algorithm in draft-abarth-origin to mitigate CSRF
attacks.  Now, an attacker can mount a CSRF attack against the server.

Adam
Received on Saturday, 13 June 2009 05:37:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT