W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 13 Jan 2009 10:02:07 -0800
Message-ID: <7789133a0901131002k5559e02eu323eb5bfb3b4b6ed@mail.gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Jonas Sicking" <jonas@sicking.cc>, public-webapps@w3.org, "Maciej Stachowiak" <mjs@apple.com>, "Sam Weinig" <weinig@apple.com>

On Tue, Jan 13, 2009 at 7:31 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 13 Jan 2009 01:31:49 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>> My suggestion is to rename "Origin" to "Access-Control-Request-Origin"
>> or "Access-Control-Origin" if possible (depends on where current
>> implementers are in their ship schedule), or that we request that the
>> CSRF protection header be renamed to something other than "Origin".
>
> I'm fine with renaming it to Access-Control-Request-Origin as far as the
> Access Control draft is concerned.
>
> Maciej, Sam, Adam?

I agree with Thomas that having two headers that are the same in the
common case will lead to author confusion and server vulnerabilities.

One possibility is to change the Origin-header-for-CSRF-protection to
behave identically as the Origin-header-for-cross-site-XHR (i.e.,
don't set it to "null" on cross-origin redirects).  This would mean a
site couldn't use the header for CSRF protection if it generates POST
requests to untrusted sites.  I suspect this is fairly rare (although
I don't have hard numbers at my fingertips).

I don't think we should design the Origin-header-for-CSRF-protection
as the end-all, be-all CSRF defense.  Instead, we should optimize it
to be an easy-to-use defense that works well for 90% of sites.

Adam
Received on Tuesday, 13 January 2009 18:02:52 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT