Re: The HTTP Origin Header (draft-abarth-origin)

Adam Barth escribió:
> On Mon, Jan 26, 2009 at 2:00 AM, Thomas Broyer <> wrote:
>> What if the UA discard the Origin value (i.e. use "null" or some other
>> value) when crossing "zone" boundaries?
> That's an interesting idea.  I'm not sure we have the notion of a
> "zone" available to us at this level of abstraction.  Internet
> Explorer certainly has that concept, but I'm not sure other browsers
> do.

It seems not.

>> When an Intranet web page issues a request to an Internet resource,
>> then the UA SHOULD send "Origin: null" instead of "Origin:
>> http://<intranet-server>".
> We could recommend this in the non-normative privacy considerations
> section.  It's certainly permitted by the current draft.

If the Origin header is sent only for POST requests, the probability for
intranet leakage information
is almost null in examples like previously cited.


Received on Tuesday, 27 January 2009 00:38:01 UTC