W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 23 Jan 2009 09:36:02 +0100 (CET)
To: ietf-http-wg@w3.org
Message-ID: <alpine.DEB.1.10.0901230928010.10534@yvahk2.pbagnpgbe.fr>

On Thu, 22 Jan 2009, Adam Barth wrote:

> This is not an assumption.  In April 2008, measured how often various 
> headers were suppressed for 283,945 browsers who viewed an advertisement we 
> placed with a minor ad network.  We observed that the Referer header was 
> suppressed for approximately 3% of requests whereas the Origin header was 
> only suppressed 0.029-0.047% of requests (95% confidence).

Surely this isn't really surprising. Referer is a standardized and established 
header that has been in use for a long time and proxy 
admins/products/companies have adapted and reacted.

Origin is a newly suggested header that certainly none of the 
admins/products/companies have bothered about since it isn't standardized nor 
in actual use and thus they don't block it - yet.

Further, the argument:

> the employee will not leak any information in the Origin header because it 
> is not sent for GET requests.

... will thus break when that same intranet has a 'search the with loogle' 
field that sends a POST to the external site?


  / daniel.haxx.se
Received on Friday, 23 January 2009 08:46:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:38 UTC