Re: The HTTP Origin Header (draft-abarth-origin)

On Thu, 22 Jan 2009, Adam Barth wrote:

> This is not an assumption.  In April 2008, measured how often various 
> headers were suppressed for 283,945 browsers who viewed an advertisement we 
> placed with a minor ad network.  We observed that the Referer header was 
> suppressed for approximately 3% of requests whereas the Origin header was 
> only suppressed 0.029-0.047% of requests (95% confidence).

Surely this isn't really surprising. Referer is a standardized and established 
header that has been in use for a long time and proxy 
admins/products/companies have adapted and reacted.

Origin is a newly suggested header that certainly none of the 
admins/products/companies have bothered about since it isn't standardized nor 
in actual use and thus they don't block it - yet.

Further, the argument:

> the employee will not leak any information in the Origin header because it 
> is not sent for GET requests.

... will thus break when that same intranet has a 'search the with loogle' 
field that sends a POST to the external site?



Received on Friday, 23 January 2009 08:46:29 UTC