- From: Emilio Casbas <ecasbas@s21sec.com>
- Date: Tue, 27 Jan 2009 01:36:25 +0100
- To: Adam Barth <w3c@adambarth.com>
- CC: Thomas Broyer <t.broyer@gmail.com>, ietf-http-wg@w3.org
Received on Tuesday, 27 January 2009 00:38:01 UTC
Adam Barth escribió: > On Mon, Jan 26, 2009 at 2:00 AM, Thomas Broyer <t.broyer@gmail.com> wrote: > >> What if the UA discard the Origin value (i.e. use "null" or some other >> value) when crossing "zone" boundaries? >> > > That's an interesting idea. I'm not sure we have the notion of a > "zone" available to us at this level of abstraction. Internet > Explorer certainly has that concept, but I'm not sure other browsers > do. > It seems not. http://code.google.com/p/browsersec/wiki/Part3#Microsoft_Internet_Explorer_zone_model > >> When an Intranet web page issues a request to an Internet resource, >> then the UA SHOULD send "Origin: null" instead of "Origin: >> http://<intranet-server>". >> > > We could recommend this in the non-normative privacy considerations > section. It's certainly permitted by the current draft. > If the Origin header is sent only for POST requests, the probability for intranet leakage information is almost null in examples like previously cited. Regards Emilio
Received on Tuesday, 27 January 2009 00:38:01 UTC