Re: The HTTP Origin Header (draft-abarth-origin)

* Adam Barth wrote:
>I was trying to make the point that Web sites cannot rely on the
>Referer header to build a CSRF defense.

I believe that point is somewhere between misleading and incorrect, but
for the sake of argument let me make this point instead: Web sites can-
not rely on the Origin header to build a CSRF defense. Now I'd like to
know how your point can reasonably believed to be correct, but my point
reasonably believed to be incorrect, at some point within the next seven
years. Or, if you agree with my point, why you raise this point here.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Saturday, 24 January 2009 16:45:28 UTC