Re: The HTTP Origin Header (draft-abarth-origin)

On Sat, 24 Jan 2009, Adam Barth wrote:
> On Sat, Jan 24, 2009 at 6:29 AM, Bil Corry <> wrote:
> > 
> > One way to avoid privacy issues entirely would be to only send the 
> > Origin header when the request is going back to the same host; that 
> > still allows a site to avoid CSRF for the most common use-case and the 
> > eliminates the privacy issues.  In fact, when done this way, the 
> > Origin header can be included for all requests, including GET.  For 
> > sites that mis-implement GET, this is probably a more attractive 
> > solution anyhow.
> This is an interesting suggestion and worthy of further thought. 
> Essentially, this version of the header would convey the same bits in 
> Rob's proposal but in an easier to understand form.  We should seek 
> feedback from Web site operators about whether they'd prefer the Origin 
> header for GET requests or for cross-host requests (with the constraint 
> that they can't have both for privacy reasons).

This solution would fail to satisfy the original use case of Origin, 
namely to let the server in an XHR2 scenario know who the origin was so it 
could make educated decisions about letting information out.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 24 January 2009 20:52:35 UTC