- From: poot <cvsmail@w3.org>
- Date: Tue, 2 Dec 2008 20:29:37 +0900 (JST)
- To: public-html-diffs@w3.org
CSRF mitigation -- add Origin header to all non-GET requests. (whatwg r2525) Fragment identifiers: If the absolute URL of the new resource is the same as the address of the active document of the browsing context being navigated, ignoring any <fragment> components of those URLs, and the new resource is to be fetched using HTTP GET or equivalent, then navigate to that fragment identifier and abort these steps. http://people.w3.org/mike/diffs/html5/spec/Overview.1.1696.html#navigate-fragid-step 5.6.2.1 Security and privacy http://people.w3.org/mike/diffs/html5/spec/Overview.1.1696.html#security-and-privacy cookie http://people.w3.org/mike/diffs/html5/spec/Overview.1.1696.html#dom-document-cookie referrer http://people.w3.org/mike/diffs/html5/spec/Overview.1.1696.html#dom-document-referrer 5.11.2.1 Hyperlink auditing http://people.w3.org/mike/diffs/html5/spec/Overview.1.1696.html#hyperlink-auditing http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1695&r2=1.1696&f=h http://html5.org/tools/web-apps-tracker?from=2524&to=2525 =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.1695 retrieving revision 1.1696 diff -u -d -r1.1695 -r1.1696 --- Overview.html 2 Dec 2008 10:59:31 -0000 1.1695 +++ Overview.html 2 Dec 2008 11:27:02 -0000 1.1696 @@ -4803,8 +4803,9 @@ originating page, or if the UA has been configured not to report referrers in this case, or if the navigation was initiated for a <a href=#hyperlink>hyperlink</a> with a <code title=rel-noreferrer><a href=#link-type-noreferrer>noreferrer</a></code> keyword.<p class=note>In the case of HTTP, the <code title=dom-document-referrer><a href=#dom-document-referrer>referrer</a></code> DOM attribute will - match the <code title="">Referer</code> (sic) header that was sent - when <a href=#fetch title=fetch>fetching</a> the current page.<p class=note>Typically user agents are configured to not report + match the <code title=http-referer>Referer</code> (sic) header + that was sent when <a href=#fetch title=fetch>fetching</a> the current + page.<p class=note>Typically user agents are configured to not report referrers in the case where the referrer uses an encrypted protocol and the current page does not (e.g. when navigating from an <code title="">https:</code> page to an <code title="">http:</code> page).</p><hr><p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn> @@ -28182,8 +28183,8 @@ to consider allowing administrators to disable this feature for certain subdomains, content types, or protocols.<p><strong>Leaking secure URLs.</strong> User agents should not send HTTPS URLs to third-party sites registered as content handlers, in - the same way that user agents do not send <code>Referer</code> - headers from secure sites to third-party sites.<p><strong>Leaking credentials.</strong> User agents must never send + the same way that user agents do not send <code title=http-referer>Referer</code> headers from secure sites to + third-party sites.<p><strong>Leaking credentials.</strong> User agents must never send username or password information in the URLs that are escaped and included sent to the handler sites. User agents may even avoid attempting to pass to Web-based handlers the URLs of resources @@ -29957,10 +29958,6 @@ user agent must then get the resource from the <a href=#concept-appcache-selection title=concept-appcache-selection>most appropriate application cache</a> of those that match.</p> - <p>Otherwise, <a href=#fetch>fetch</a> the new resource. If this results - in a redirect, return to <a href=#navigate-fragid-step>the step - labeled "fragment identifiers"</a> with the new resource.</p> - <p class=example>For example, imagine an HTML page with an associated application cache displaying an image and a form, where the image is also used by several other application caches. If the @@ -29973,7 +29970,26 @@ application cache at all; the submission will be made to the network.</p> - </li> + <p>Otherwise, <a href=#fetch>fetch</a> the new resource. If the resource + is being fetched using HTTP, and the method is not GET<!-- or HEAD + (but that can't happen) -->, then the user agent must include an + <code title=http-origin>Origin</code> header whose value is + determined as follows:</p> + + <dl class=switch><dt>If the <a href=#navigate title=navigate>navigation</a> algorithm has + so far contacted more than one <a href=#origin-0>origin</a></dt> + <dt>If there is no <a href=#source-browsing-context>source browsing context</a></dt> + + <dd>The value must be the string "<code title="">null</code>".</dd> + + <dt>Otherwise</dt> + + <dd>The value must be the <a href=#ascii-serialization-of-an-origin title="ASCII serialization of an + origin">ASCII serialization</a> of the <a href=#origin-0>origin</a> of + the <a href=#active-document>active document</a> of the <a href=#source-browsing-context>source browsing + context</a> at the time the navigation was started.</dd> + + </dl></li> <li> @@ -29987,6 +30003,15 @@ </li> + <li> + + <p>If fetching the resource results in a redirect, return to <a href=#navigate-fragid-step>the step labeled "fragment + identifiers"</a> with the new resource.</p> + + <p class=note>Cross-origin redirects cause the <code title=http-origin>Origin</code> header to become "<code title="">null</code>" on subsequent requests in the chain.</p> + + </li> + <li><p>Wait for one or more bytes to be available or for the user agent to establish that the resource in question is empty. During this time, the user agent may allow the user to cancel this @@ -31360,8 +31385,8 @@ done in parallel with the primary request, and is independent of the result of that request.<p>User agents should allow the user to adjust this behavior, for example in conjunction with a setting that disables the sending of - HTTP <code title="">Referer</code> headers. Based on the user's - preferences, UAs may either <a href=#ignore>ignore</a> the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute altogether, or + HTTP <code title=http-referer>Referer</code> headers. Based on the + user's preferences, UAs may either <a href=#ignore>ignore</a> the <code title=attr-hyperlink-ping><a href=#ping>ping</a></code> attribute altogether, or selectively ignore URLs in the list (e.g. ignoring any third-party URLs).<p>For URLs that are HTTP URLs, the requests must be performed by <a href=#fetch title=fetch>fetching</a> the specified URLs using the @@ -31372,33 +31397,41 @@ of the <code>Document</code> object containing the hyperlink being audited and the ping URL have the <a href=#same-origin>same origin</a></dt> - <dd>The request must include a <code title="">Ping-From</code> HTTP - header with, as its value, the <a href=#the-document-s-address title="the document's - address">address</a> of the document containing the hyperlink, - and a <code title="">Ping-To</code> HTTP header with, as its value, + <dd>The request must include a <code title=http-ping-from>Ping-From</code> HTTP header with, as its + value, the <a href=#the-document-s-address title="the document's address">address</a> of + the document containing the hyperlink, and a <code title=http-ping-to>Ping-To</code> HTTP header with, as its value, the address of the <a href=#absolute-url>absolute URL</a> of the target of the - hyperlink. The request must not include a <code title="">Referer</code> HTTP header. <!-- why not? --></dd> + hyperlink. The request must not include a <code title=http-referer>Referer</code> HTTP header. <!-- because + otherwise it would look like a trustable same-origin POST --></dd> <dt>Otherwise, if the origins are different, but the document containing the hyperlink being audited was not retrieved over an - encrypted connection</dt> <!-- why different? --> + encrypted connection</dt> <dd>The request must include a <code title="">Referer</code> HTTP header [sic] with, as its value, the <a href=#the-document-s-address title="the document's address">address</a> of the document containing the hyperlink, a - <code title="">Ping-From</code> HTTP header with the same value, - and a <code title="">Ping-To</code> HTTP header with, as its value, - the address of the target of the hyperlink.</dd> + <code title=http-ping-from>Ping-From</code> HTTP header with the + same value, and a <code title=http-ping-to>Ping-To</code> HTTP + header with, as its value, the address of the target of the + hyperlink.</dd> <dt>Otherwise, the origins are different and the document containing the hyperlink being audited was retrieved over an encrypted connection</dt> - <dd>The request must include a <code title="">Ping-To</code> HTTP - header with, as its value, the address of the target of the - hyperlink. The request must neither include a <code title="">Referer</code> HTTP header nor include a <code title="">Ping-From</code> HTTP header.</dd> + <dd>The request must include a <code title=http-ping-to>Ping-To</code> HTTP header with, as its value, + the address of the target of the hyperlink. The request must + neither include a <code title="">Referer</code> HTTP header nor + include a <code title=http-ping-from>Ping-From</code> HTTP + header.</dd> - </dl><p class=note>To save bandwidth, implementors might also wish to + </dl><p>In addition, an <code title=http-origin>Origin</code> header + must always be included, whose value is the <a href=#ascii-serialization-of-an-origin title="ASCII + serialization of an origin">ASCII serialization</a> of the + <a href=#origin-0>origin</a> of the the <code>Document</code> containing the + <a href=#hyperlink>hyperlink</a>. The value of the <code title=http-origin>Origin</code> header must be set to "<code title="">null</code>" when following redirects if the <a href=#origin-0 title=origin>origins</a> of all the <a href=#url title=URL>URLs</a> involved are not the <a href=#same-origin title="same + origin">same</a>.<p class=note>To save bandwidth, implementors might also wish to consider omitting optional headers such as <code>Accept</code> from these requests.<p>User agents must, unless otherwise specified by the user, honor the HTTP headers (including, in particular, redirects and HTTP
Received on Tuesday, 2 December 2008 11:30:15 UTC