- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 26 Jan 2009 12:51:31 +1300
- To: Adam Barth <w3c@adambarth.com>
- CC: Mark Nottingham <mnot@mnot.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Adam Barth wrote: > The Origin header is incrementally useful as a CSRF defense. Users > with supporting user agents will benefit. Users without supporting > user agents will be no worse off than they are today. This is > different than the situation we are in today because sites must > engineer complex CSRF defense to help any of their users. The Origin > header lets sits protect some of their users with minimal effort. > > My question then is should we be pouring effort into a solution that is only incrementally useful. A a site operator myself, I'm not particularly interested in very easily being able to protect a very small number of users. We need to protect ALL our users. If this means we have to go to some secure token-based approach, then why bother with anything else as well? As long as there is an appreciable proportion of our user-base using a browser that doesn't support Origin, we will need to cater to them. By your argument, a show-stopper proportion is at least 3% or less. It just seems to make the Origin header a bit redundant. Also, without any sort of decent crypto involved, any reliance on client-supplied data for real security seems destined to fail. Even if you could get the major browsers to support it, getting servers to support it would be several orders of magnitude more difficult. For many sites it would require patching scripts.. lots of them. Why would I go to all the effort to patch all our scripts to check Origin to only protect a vanishingly-small-maybe-growing-but-never-enough proportion of my users when I could get them all with a decent system? Regards Adrien > Adam > > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Sunday, 25 January 2009 23:49:26 UTC