W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Mar 2013 23:08:51 -0400
Message-ID: <CADnb78jJU9WCQc4m-gBL03vxZ5ZkO18hUnWbCeUumyX7wBRwLQ@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WHATWG <whatwg@whatwg.org>
On Tue, Mar 19, 2013 at 6:30 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> I don't think that that is a particularly convincing argument since there is
> no confused deputy problem here, and if a website is making security
> decisions based on referrer headers even when there are no other identifying
> signals, then that website is a lost cause.

Not if the referring URL was a capability, which I think might have
been the point.


> In other words, I see no new attack vectors being introduced, but I do see
> additional value, if we keep the referrer.

You do know there are efforts to making Referer obsolete within
Mozilla so to leak less information about the user?


> Regarding origin. I guess I don't care terribly strongly either way. But I
> don't really see the value of creating an exception here from regular CORS
> given that I don't see any attack vectors that are being closed.

Yeah, hmm, I wish more people participated in this thread.


-- 
http://annevankesteren.nl/
Received on Wednesday, 20 March 2013 03:09:20 GMT

This archive was generated by hypermail 2.3.1 : Wednesday, 20 March 2013 03:09:21 GMT