- From: Bil Corry <bil@corry.biz>
- Date: Fri, 16 Jan 2009 18:10:55 -0600
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>
Maciej Stachowiak wrote on 1/16/2009 4:40 PM: > Such hotlinking is probably using a GET request, so no Origin header > would be sent. I believe it is also outside the scope of the CSRF > protection and cross-origin data sharing goals of Origin. The Referer > header is still usable for hotlinking prevention in this scenario, the > only downside being that it is apparently often filtered by sites or > users for privacy reasons. Ha, well, mea culpa. I was imaging it from the endpoint receiving an Origin header, then how it could be deceptive in the case of a redirect. If anything, I guess my scenario would be an argument against sending Origin for non-Access-Control GET requests. Thanks for keeping me straight. As for the hotlinking, I wasn't implying that Origin should (or can) be used to combat it. I saw it as an example of how the Origin header may have the side-effect of being used for other purposes simply by being present in the request. - Bil
Received on Saturday, 17 January 2009 00:11:37 UTC