- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Feb 2008 23:00:59 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > > > A hostile client can already do cross-site third party requests. > > But can the hostile client convincingly blame another site for the > request? Yes, of course. The Referer header (which is what is currently used to determine who sent the request) can obviously be faked along with everything else. Referer-Root is only a subset of Referer -- it has the path information removed, so that we can include it without leaking privacy-critical information like account IDs which might be in the path or CGI parameters of the requesting page. > That's the new part. Referer-Root is not new. It's a subset of an existing header. > A hostile client can send a request that looks like it was sent by an > honest client and is the fault of the Referer-Root site. A hostile client can take a request from party A, change it, send it to party B, without ever involving evil party C. It can just _be_ the evil party. The only way around this is for parties A and B to use encryption or signing from the server side, without trusting the hostile client at all. This is the case both today, without Access-Control, and with any implementation of Access-Control that I can imagine. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 February 2008 23:01:15 UTC