The HTTP Sec-From Header (draft-abarth-origin)

On Wed, Jun 24, 2009 at 10:55 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Wed, Jun 24, 2009 at 10:46 PM, Mark Nottingham<mnot@mnot.net> wrote:
>> Do you have a spec for sec-from?
>
> http://tools.ietf.org/html/draft-abarth-origin-01
>
> This draft addresses the technical feedback I have receive on the -00
> version of the draft.  As I said in the previous email, I'm going to
> try to reply to all the outstanding emails in the next couple of days.

Turns out my folder of outstanding issues was mostly individual
emails.  I had an outstanding request for data from this WG on the
number of internal-to-external POST requests.  Out of a sample of one
million HTTP requests from an enterprise firewall:

1) 6% of the GET+POST requests were POST.
2) 10% of POSTs are cross-host.
3) There was exactly one POST from an internal host to an external host.

Caveats: I can't see HTTPS traffic with this methodology.  Different
enterprises might be different.  The enterprise in question does trip
the Referer header (although I collected the data prior to stripping).

Adam

Received on Sunday, 28 June 2009 23:13:07 UTC