Re: The HTTP Origin Header (draft-abarth-origin) from Adam Barth on 2009-01-24 (ietf-http-wg@w3.org from January to March 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Jan 2009 15:51:21 -0800
To: Robert Sayre <sayrer@gmail.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <7789133a0901241551k3d275d9cid2a8e901fe3cbdca@mail.gmail.com>

On Sat, Jan 24, 2009 at 1:38 PM, Robert Sayre <sayrer@gmail.com> wrote:
> It no doubt occurs, since the web makes it easy to do. Do you
> disagree?

Even if it does occur, the document.referrer property is a much larger
privacy leak than the Origin header because:

1) document.referrer is present for GET requests (e.g., simple hyperlinks)
2) document.referrer is not suppressed by proxies

> I agree the quantity is hard to guess at, and the nature of
> the problem makes it hard to get data for, if you think about it.

I'm attempting to gather data on this point.  I'll report back if/when
I have hard data I can share.

> Again, I don't think the quantity argument is a good one, since the
> problem is that people can install a new browser and leak data in new
> ways, by default. In my project, it's unusual to dismiss security or
> privacy bugs by saying "well, it only happened to a few people".

The quantity is important.  If intranet sites with sensitive host
names POST to untrusted Internet sites as often as intranet sites with
sensitive host names, paths, or query strings have hyperlinks to
untrusted Internet sites, then we should worry a lot about this issue.
 If this occurs 10,000x less often, then I don't believe this is a
large concern.

> Asking people to provide data is often a good thing, especially when
> they're proposing features, but in this case it seems like you're
> using it to squash a pretty valid concern when the burden of proof is
> on you. Where would such a rhetorical tactic fly?

I agree that the person proposing to change the status quo has a
higher burden of proof, but we have yet to see a single anecdotal
example of the problem you imagine.

>> I welcome suggestions for a solution that address the same use cases
>> with further privacy protections.
>
> Didn't I just give one, or do you want me to design a full URL
> comparison for you? I guess I can throw something together if you
> insist.

You're welcome to contribute another solution.  I'm glad that Bill
contributed his proposal.  I welcome more proposals.

Adam

Received on Saturday, 24 January 2009 23:51:56 UTC