- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 30 Nov 2008 07:25:06 +0000 (UTC)
On Sat, 29 Nov 2008, Adam Barth wrote: > > On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote: > > Regarding the open issue -- it seems like whenever a cross-origin redirect > > takes place, the origin of the redirecting site should be used, instead of > > the original origin. (But the origin should survive same-origin redirects > > unaffected.) > > That makes sense for CSRF mitigation, but it might not make sense for > cross-site XMLHttpRequest. In that case, we'd like the header to > identify which origin will get to read the response (i.e., the > JavaScript context that initiated the request, not the redirector). > > > That would reduce the attack surface area to just the case of a hostile > > site finding a redirect on a site trusted by the victim that redirects to > > a victim site. Not sure if there's anything we can do about that case. > > Another possibility is to replace the Origin header with "null" if there > is a cross-origin redirect. The idea in this design is that multiple > origins have contributed to the request and the browser can't clearly > disentangle them. This design should address the open-redirector case > as well. Yeah, that would work. Regarding which spec to put things in -- what are the cases you want this header to be included for? Just form submission? All navigation? All network traffic including, e.g., <script src="">, <img src="">, <link rel= stylesheet href="">? Just POSTs? All methods? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 29 November 2008 23:25:06 UTC