W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 03 Dec 2009 17:26:52 -0800
Cc: Larry Masinter <masinter@adobe.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-id: <99C778BF-C4A8-4F3E-8D12-506781949D22@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Dec 3, 2009, at 1:40 PM, Adam Barth wrote:

> Changing the subject line since this appears to be a new topic.
> On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com>  
> wrote:
>> Is the "Origin" header generally agreed to be both necessary
>> and sufficient for same-origin-policy work to proceed?
> I'm not sure the Origin header is either necessary or sufficient.  The
> same-origin policy is much larger and more extensive than a single
> header.
>> Right now, HTML 5 continues to refer to the Origin header as
>> supporting the same-origin policy, and it seemed to me that
>> there was still some disagreement about whether it should
>> be retained.

The Origin header as used in HTML5 is at best tangentially related to  
the same-origin policy. It does depend on the origin notion, but it  
has a different purpose. Same-origin is about preventing Cross-Site  
Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps to  
mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin policy  
is about preventing actions on the client side. Origin is about  
labeling requests to allow the server to optionally use that  

- Maciej

>> The HTML issue is scheduled to be closed today (Dec 3) -- should it
>> remain open? Would anyone volunteer to write a "change proposal"
>> (re)moving "Origin header" from the HTML5 spec?
>> http://www.w3.org/html/wg/tracker/issues/63
>> Larry
>> --
>> http://larry.masinter.net
Received on Friday, 4 December 2009 01:27:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC