W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Bil Corry <bil@corry.biz>
Date: Fri, 16 Jan 2009 11:02:38 -0600
Message-ID: <4970BDAE.9050902@corry.biz>
To: Maciej Stachowiak <mjs@apple.com>
CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>

Maciej Stachowiak wrote on 1/15/2009 10:40 PM: 
> CONCLUSION: We should use a single Origin header with the name and
> semantics of the Access-Control Origin header for both its
> Access-Control purpose and for redirect defense. The differences in the
> HTML5 version are not worth the cost of a very similar but subtly
> different header. And if we ever find the attack in case 3 is more than
> theoretical, we could add a 'Redirected-Via' header to provide full
> information.

Thank you for the extended explanation.  I do now see your point, and agree it's probably the best course of action.  It will, however, still leave open some odd side-effects from not identifying the redirect source, but maybe they're unlikely to be common.  For example, Site A allows the users to specify a remote location for their avatar image; the user points to Site B, which in turn then redirects to Site C.  Site C doesn't like its images being used remotely and checks the Origin header and identifies Site A.  Site C then complains to Site A about the hotlinking; Site A checks it's avatar URLs and doesn't find Site C listed.  So now you have Site C being hotlinked from Site A, but Site A has no way to discover how it's happening other than to crawl all outbound URLs.

- Bil
Received on Friday, 16 January 2009 17:03:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC