- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 03 Dec 2009 17:26:52 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Larry Masinter <masinter@adobe.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Dec 3, 2009, at 1:40 PM, Adam Barth wrote: > Changing the subject line since this appears to be a new topic. > > On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> > wrote: >> Is the "Origin" header generally agreed to be both necessary >> and sufficient for same-origin-policy work to proceed? > > I'm not sure the Origin header is either necessary or sufficient. The > same-origin policy is much larger and more extensive than a single > header. > >> Right now, HTML 5 continues to refer to the Origin header as >> supporting the same-origin policy, and it seemed to me that >> there was still some disagreement about whether it should >> be retained. The Origin header as used in HTML5 is at best tangentially related to the same-origin policy. It does depend on the origin notion, but it has a different purpose. Same-origin is about preventing Cross-Site Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps to mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin policy is about preventing actions on the client side. Origin is about labeling requests to allow the server to optionally use that information. - Maciej >> >> The HTML issue is scheduled to be closed today (Dec 3) -- should it >> remain open? Would anyone volunteer to write a "change proposal" >> (re)moving "Origin header" from the HTML5 spec? >> >> >> http://www.w3.org/html/wg/tracker/issues/63 >> >> Larry >> -- >> http://larry.masinter.net >> >> >> >
Received on Friday, 4 December 2009 01:27:33 UTC