Wouldn't the client want some knowledge of which service it is disclosing
the origin to? Given that the service is decoupled from the client maybe we
would want a more subtle policy such as:
send_origin="NEVER (implicit), ALWAYS, SAME_ORIGIN"
Steve McKay | Sr. Software Engineer | smckay@google.com | 310-359-8331
On Mon, Aug 27, 2012 at 2:47 PM, Greg Billock <gbillock@google.com> wrote:
>
> If the client doesn't want to disclose the origin, attaching it always
> might be a privacy concern. "UseOrigin: true" is nice -- then the
> browser fills in the right origin for the service. That lets the
> service know that the client is purposefully disclosing the origin,
> and that the value received is from the UA.
>
> Obviously the service can be loaded by a malicious UA, so it will need
> to maintain its own security based on other content in the message
> anyway.
>
>
> On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com>
> wrote:
> > On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
> > <kensaku.komatsu@gmail.com> wrote:
> >> Yep, most of modern browsers such as IE, chrome, safari and opera are
> >> trusted and sends right origin to intent services. But there are other
> clients
> >> their behavior is not trusted. So, I guess James pointed that origin
> info
> >> from clients is not always trusted.
> >
> > Just like the Origin: HTTP header, the only guarantee you get is that
> > "this user trusts the browser to send the correct Origin header".It
> > doesn't protect you from malicious users, but it does allow you to
> > protect clumsy users who might be fooled into clicking an intent on a
> > malicious website.
> >
> > Conrad
>
>