- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 25 Jun 2009 11:29:54 +1000
- To: Adam Barth <w3c@adambarth.com>
- Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Right -- and that's why we're modifying referer to allow about: blank. The question I have is whether this makes Referer adequate for the use cases that the various W3C WGs have for Origin (assuming that they'll place additional requirements on it). Cheers, On 25/06/2009, at 9:28 AM, Adam Barth wrote: > On Wed, Jun 24, 2009 at 4:08 PM, Henrik > Nordstrom<henrik@henriknordstrom.net> wrote: >> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth: >>> I experimentally measured how often the Origin header is dropped in >>> the real world, an it is not dropped greater than 99.9% of the time. >> >> So the actual motivation for Origin is because Referer is dropped in >> some networks, while the still unknown Origin header is not dropped >> in >> the same networks? > > We've covered this issue before. You can find the answer by reading > the whole thread. In summary, servers cannot distinguish between the > user agent not sending a Referer header and the header being stripped > in the network, making it impossible to use the Referer header as a > CSRF defense without locking out a non-trivial number of users. > >> And why is this? Imho simply because the network admins who worry >> about >> Referer do not yet know about Origin. Once they learn about Origin >> they >> will start filtering that header in the same manner as they do with >> Referer, putting you back on square one, implementing Origin2? >> >> Regards >> Henrik >> >> -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 25 June 2009 01:30:34 UTC