- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 24 Jun 2009 16:28:08 -0700
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Wed, Jun 24, 2009 at 4:08 PM, Henrik Nordstrom<henrik@henriknordstrom.net> wrote: > tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth: >> I experimentally measured how often the Origin header is dropped in >> the real world, an it is not dropped greater than 99.9% of the time. > > So the actual motivation for Origin is because Referer is dropped in > some networks, while the still unknown Origin header is not dropped in > the same networks? We've covered this issue before. You can find the answer by reading the whole thread. In summary, servers cannot distinguish between the user agent not sending a Referer header and the header being stripped in the network, making it impossible to use the Referer header as a CSRF defense without locking out a non-trivial number of users. > And why is this? Imho simply because the network admins who worry about > Referer do not yet know about Origin. Once they learn about Origin they > will start filtering that header in the same manner as they do with > Referer, putting you back on square one, implementing Origin2? > > Regards > Henrik > >
Received on Wednesday, 24 June 2009 23:29:07 UTC