Re: The HTTP Origin Header (draft-abarth-origin)

On Wed, Jun 24, 2009 at 4:08 PM, Henrik
Nordstrom<> wrote:
> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth:
>> I experimentally measured how often the Origin header is dropped in
>> the real world, an it is not dropped greater than 99.9% of the time.
> So the actual motivation for Origin is because Referer is dropped in
> some networks, while the still unknown Origin header is not dropped in
> the same networks?

We've covered this issue before.  You can find the answer by reading
the whole thread.  In summary, servers cannot distinguish between the
user agent not sending a Referer header and the header being stripped
in the network, making it impossible to use the Referer header as a
CSRF defense without locking out a non-trivial number of users.

> And why is this? Imho simply because the network admins who worry about
> Referer do not yet know about Origin. Once they learn about Origin they
> will start filtering that header in the same manner as they do with
> Referer, putting you back on square one, implementing Origin2?
> Regards
> Henrik

Received on Wednesday, 24 June 2009 23:29:07 UTC