Re: The HTTP Origin Header (draft-abarth-origin) from Adam Barth on 2009-01-27 (ietf-http-wg@w3.org from January to March 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 26 Jan 2009 18:55:21 -0800
To: Larry Masinter <LMM@acm.org>
Cc: ietf-http-wg@w3.org
Message-ID: <7789133a0901261855q47f33d16tc3ec7aa6139dfd28@mail.gmail.com>

On Mon, Jan 26, 2009 at 5:41 PM, Larry Masinter <LMM@acm.org> wrote:
> Treating Referer like some kind of urban blight which we just leave to
> molder seems odd to me. Is Referer deprecated? Expected to be sent as well,
> but then frequently stripped?

Although the Referer header is not useful as a CSRF defense, the
Referer header is useful for a number of other purposes.  For example:

1) The Referer header tells me which search terms visitors to
http://www.adambarth.com/ used to find my home page.

2) The Referer header helps me track down pages that are still linking
to my old home page (at adambarth.org).

3) Many bloggers use the Referer header to link to pages that link to
their posts (trackback).

> If the main difference between "Referer" and
> "Origin" is that Referer contains too much information or is sent at the
> wrong time, why not just fix "Referer"? It shouldn't be any harder to change
> an existing header (compatibly) than it is to invent a new one.

That would break the above use cases.

> I think the discussion confuses the cost/benefits for different
> constituencies.

I didn't understand the point you were trying to make with this
analysis.  Instead of listing the costs and benefits of various
actions to various constituencies, you just described what you thought
each party would do without explaining why.

> You can't benefit browser users until a significant number of server
> operators deploy this.

A user of a supporting browser will benefit as soon as one Web site
they use adopts the defense.

> But server operators will be reluctant to deploy
> without browser implementation.

The cost to deploy the defense is small and the benefit scales with
the deployment of supporting browsers.  At some point, the benefits of
deploying the defense will eclipse its cost.  My guess is this turning
point will come long before the Origin header reaches 90% deployment.

> Meanwhile, if firewalls start blocking the
> header, then the benefit curve will go down, not up, and it will be another
> set of useless bytes sent over the wire only to be parsed and blocked later
> (i.e., just more cost).

We have yet to see even anecdotal evidence that firewall customers
will benefit from demanding that firewall vendors to block the header.

Adam

Received on Tuesday, 27 January 2009 02:55:57 UTC