Re: The HTTP Origin Header (draft-abarth-origin)

Robert Sayre wrote on 1/24/2009 6:22 AM: 
> Information on the quantity would be nice to have, but I don't think a
> new CSRF mitigation technique should introduce a privacy leak,
> especially when it looks like there might be a way to avoid it that
> you haven't explored.

The most common use-case for the Origin header is to confirm the request originated from the same host (which is what the "secret token" defense is used for).

One way to avoid privacy issues entirely would be to only send the Origin header when the request is going back to the same host; that still allows a site to avoid CSRF for the most common use-case and the eliminates the privacy issues.  In fact, when done this way, the Origin header can be included for all requests, including GET.  For sites that mis-implement GET, this is probably a more attractive solution anyhow.


- Bil

Received on Saturday, 24 January 2009 14:29:56 UTC