W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Tue, 13 Jan 2009 20:35:02 -0600
Message-ID: <496D4F56.5020503@corry.biz>
To: Ian Hickson <ian@hixie.ch>
CC: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>

Ian Hickson wrote on 1/13/2009 7:09 PM: 
> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>> It's not just POST that we need to worry about, ideally we should cover 
>> the GET case as well. Or at least it's quite likely that we will want 
>> to.
> 
> My understanding was that we didn't want to include Origin in GET 
> requests. In fact HTML5 right now goes out of its way to avoid including 
> it in GET requests.

Presumably it's due to the concern raised by "Origin Header for CSRF Mitigation":

-----
The Origin header also improves on the Referer header by NOT leaking intranet host names to external sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate GET requests.

http://crypto.stanford.edu/websec/specs/origin-header/
-----

What would be more helpful though is if the Origin header is sent for any GET/HEAD requests that are sent back to the same domain; that way, the domain can confirm the request is coming from itself and it still avoids leaking intranet host names to external sites.


- Bil
Received on Wednesday, 14 January 2009 02:35:49 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT