[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

On Mon, 29 Sep 2008 16:06:09 -0400, Adam Barth <whatwg at adambarth.com>  
wrote:
> The current proposal is to sent the Origin header for non-GET,
> non-HEAD requests.  The main reason not to send the header all the
> time is that it raises similar privacy concerns as the Referer header,
> which have caused the Referer header to be suppressed a non-trivial
> fraction of the time.
>
> Sending the Origin header more often is better for security, but it is
> a gamble.  If we decide to send it too often, users/network operators
> will just suppress the header and we won't have improved the
> situation.  Sending the header for <form> POSTs seems like a clean
> design point because sites don't POST to untrusted sites nearly as
> often as they hyperlink to them.

Hmm, we went through this before I believe. I thought the issue with  
Referer was that it exposed path information, but I guess the problem with  
Origin is that it reveals the intranet server name? On the other hand, for  
the not-link following case how common is it for intranet applications to  
load images and resources cross-site?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 29 September 2008 13:40:54 UTC