Re: Passing "origin" with intents

Wouldn't the client want some knowledge of which service it is disclosing
the origin to? Given that the service is decoupled from the client maybe we
would want a more subtle policy such as:

send_origin="NEVER (implicit), ALWAYS, SAME_ORIGIN"

Steve McKay | Sr. Software Engineer | smckay@google.com | 310-359-8331




On Mon, Aug 27, 2012 at 2:47 PM, Greg Billock <gbillock@google.com> wrote:

>
> If the client doesn't want to disclose the origin, attaching it always
> might be a privacy concern. "UseOrigin: true" is nice -- then the
> browser fills in the right origin for the service. That lets the
> service know that the client is purposefully disclosing the origin,
> and that the value received is from the UA.
>
> Obviously the service can be loaded by a malicious UA, so it will need
> to maintain its own security based on other content in the message
> anyway.
>
>
> On Mon, Aug 27, 2012 at 1:15 PM, Conrad Irwin <conrad.irwin@gmail.com>
> wrote:
> > On Mon, Aug 27, 2012 at 1:02 PM, KOMATSU Kensaku
> > <kensaku.komatsu@gmail.com> wrote:
> >> Yep, most of modern browsers such as IE, chrome, safari and opera are
> >> trusted and sends right origin to intent services. But there are other
> clients
> >> their behavior is not trusted. So, I guess James pointed that origin
> info
> >> from clients is not always trusted.
> >
> > Just like the Origin: HTTP header, the only guarantee you get is that
> > "this user trusts the browser to send the correct Origin header".It
> > doesn't protect you from malicious users, but it does allow you to
> > protect clumsy users who might be fooled into clicking an intent on a
> > malicious website.
> >
> > Conrad
>
>

Received on Monday, 27 August 2012 22:31:14 UTC