- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 24 Jan 2009 10:10:51 -0800
- To: Bil Corry <bil@corry.biz>
- Cc: ietf-http-wg@w3.org
On Sat, Jan 24, 2009 at 6:29 AM, Bil Corry <bil@corry.biz> wrote: > The most common use-case for the Origin header is to confirm the request originated from the same host (which is what the "secret token" defense is used for). The secret token defense is not limited to a single host name. > One way to avoid privacy issues entirely would be to only send the Origin header when the request is going back to the same host; that still allows a site to avoid CSRF for the most common use-case and the eliminates the privacy issues. In fact, when done this way, the Origin header can be included for all requests, including GET. For sites that mis-implement GET, this is probably a more attractive solution anyhow. This is an interesting suggestion and worthy of further thought. Essentially, this version of the header would convey the same bits in Rob's proposal but in an easier to understand form. We should seek feedback from Web site operators about whether they'd prefer the Origin header for GET requests or for cross-host requests (with the constraint that they can't have both for privacy reasons). I've noted this proposal in the draft. Thanks for your feedback, Adam
Received on Saturday, 24 January 2009 18:11:31 UTC