Re: The HTTP Origin Header (draft-abarth-origin)

Right -- and that's why we're modifying referer to allow about: blank.

The question I have is whether this makes Referer adequate for the use  
cases that the various W3C WGs have for Origin (assuming that they'll  
place additional requirements on it).

Cheers,


On 25/06/2009, at 9:28 AM, Adam Barth wrote:

> On Wed, Jun 24, 2009 at 4:08 PM, Henrik
> Nordstrom<henrik@henriknordstrom.net> wrote:
>> tor 2009-01-22 klockan 17:35 -0800 skrev Adam Barth:
>>> I experimentally measured how often the Origin header is dropped in
>>> the real world, an it is not dropped greater than 99.9% of the time.
>>
>> So the actual motivation for Origin is because Referer is dropped in
>> some networks, while the still unknown Origin header is not dropped  
>> in
>> the same networks?
>
> We've covered this issue before.  You can find the answer by reading
> the whole thread.  In summary, servers cannot distinguish between the
> user agent not sending a Referer header and the header being stripped
> in the network, making it impossible to use the Referer header as a
> CSRF defense without locking out a non-trivial number of users.
>
>> And why is this? Imho simply because the network admins who worry  
>> about
>> Referer do not yet know about Origin. Once they learn about Origin  
>> they
>> will start filtering that header in the same manner as they do with
>> Referer, putting you back on square one, implementing Origin2?
>>
>> Regards
>> Henrik
>>
>>


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 25 June 2009 01:30:34 UTC