On Wed, Jun 24, 2009 at 4:08 PM, Henrik Nordstrom<henrik@henriknordstrom.net> wrote: > tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth: >> I experimentally measured how often the Origin header is dropped in >> the real world, an it is not dropped greater than 99.9% of the time. > > So the actual motivation for Origin is because Referer is dropped in > some networks, while the still unknown Origin header is not dropped in > the same networks? We've covered this issue before. You can find the answer by reading the whole thread. In summary, servers cannot distinguish between the user agent not sending a Referer header and the header being stripped in the network, making it impossible to use the Referer header as a CSRF defense without locking out a non-trivial number of users. > And why is this? Imho simply because the network admins who worry about > Referer do not yet know about Origin. Once they learn about Origin they > will start filtering that header in the same manner as they do with > Referer, putting you back on square one, implementing Origin2? > > Regards > Henrik > >Received on Wednesday, 24 June 2009 23:29:07 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC