- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 24 Jan 2009 17:44:50 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: ietf-http-wg@w3.org
* Adam Barth wrote: >I was trying to make the point that Web sites cannot rely on the >Referer header to build a CSRF defense. I believe that point is somewhere between misleading and incorrect, but for the sake of argument let me make this point instead: Web sites can- not rely on the Origin header to build a CSRF defense. Now I'd like to know how your point can reasonably believed to be correct, but my point reasonably believed to be incorrect, at some point within the next seven years. Or, if you agree with my point, why you raise this point here. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 24 January 2009 16:45:28 UTC