W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Bil Corry <bil@corry.biz>
Date: Wed, 14 Jan 2009 19:32:57 -0600
Message-ID: <496E9249.8060107@corry.biz>
To: Maciej Stachowiak <mjs@apple.com>
CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>

Maciej Stachowiak wrote on 1/14/2009 6:14 PM: 
> Why does the CSRF defense header need to change on redirect?

Because to the site on the far end, it would appear the request came from somewhere it didn't, effectively hiding the real source of the request.  This probably explains it better:

-----
When an honest site initiates a request to a dishonest site (for example because the user followed a hyperlink), the dishonest site can redirect the request back to the honest site. If the redirected request carries the same Origin header as the original request, the request will implicate the honest site as generating the request. To protect the honest site, the user agent replaces the Origin header with null, so a conforming server will not modify state in response to a redirect.

http://crypto.stanford.edu/websec/specs/origin-header/
-----


- Bil
Received on Thursday, 15 January 2009 01:33:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT