Re: The Origin header (was Re: HTTPbis and the Same Origin Policy) from Mary Ellen Zurko on 2009-12-04 (public-web-security@w3.org from December 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 4 Dec 2009 10:36:07 -0500
To: "Maciej Stachowiak <mjs" <mjs@apple.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <OFB3E433AF.8C2BF5AB-ON85257682.00556627-85257682.00559719@LocalDomain>

> The Origin header as used in HTML5 is at best tangentially related to 
> the same-origin policy. It does depend on the origin notion, but it 
> has a different purpose. Same-origin is about preventing Cross-Site 
> Scripting (XSS) attacks. Origin (as used in HTML5) primarily helps to 
> mitigate Cross-Site Request Forgery (CSRF) attacks. Same-origin policy 
> is about preventing actions on the client side. Origin is about 
> labeling requests to allow the server to optionally use that 
> information.

Not to be a total pedant, but since this is an issue near and dear to my 
heart...

same-origin is about mitigating XSS, not preventing it, right? Since in 
web apps that allow users to collaborate with content that might include 
(D)HTML, same-origin is of no help at all. right?

Received on Friday, 4 December 2009 15:35:29 UTC