Right -- and that's why we're modifying referer to allow about: blank. The question I have is whether this makes Referer adequate for the use cases that the various W3C WGs have for Origin (assuming that they'll place additional requirements on it). Cheers, On 25/06/2009, at 9:28 AM, Adam Barth wrote: > On Wed, Jun 24, 2009 at 4:08 PM, Henrik > Nordstrom<henrik@henriknordstrom.net> wrote: >> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth: >>> I experimentally measured how often the Origin header is dropped in >>> the real world, an it is not dropped greater than 99.9% of the time. >> >> So the actual motivation for Origin is because Referer is dropped in >> some networks, while the still unknown Origin header is not dropped >> in >> the same networks? > > We've covered this issue before. You can find the answer by reading > the whole thread. In summary, servers cannot distinguish between the > user agent not sending a Referer header and the header being stripped > in the network, making it impossible to use the Referer header as a > CSRF defense without locking out a non-trivial number of users. > >> And why is this? Imho simply because the network admins who worry >> about >> Referer do not yet know about Origin. Once they learn about Origin >> they >> will start filtering that header in the same manner as they do with >> Referer, putting you back on square one, implementing Origin2? >> >> Regards >> Henrik >> >> -- Mark Nottingham http://www.mnot.net/Received on Thursday, 25 June 2009 01:30:34 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC