Re: Origin from Jonas Sicking on 2008-05-30 (public-webapi@w3.org from May 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 30 May 2008 14:02:43 -0700
To: Anne van Kesteren <annevk@opera.com>
CC: Adam Barth <public-webapi@adambarth.com>, Collin Jackson <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <48406B73.6050702@sicking.cc>

Anne van Kesteren wrote:
> 
> On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> If the header is simply named 'Origin' (or 'Referer-Root') then 
>> blocking any requests that include that header would also block for 
>> example cross-site image requests or cross-site POSTs.
> 
> Right. Given that it's likely we get extensions in the future that allow 
> reading the contents of images (<img>.getImageData() or something) or 
> the response of a <form> POST (some features in Web Forms 2.0 allow this 
> as far as I can tell).

When these features are added we'll have to add some sort of opt-in 
mechanism from the server. Hopefully Access-Control.

However I don't see how that affects anything. We'll still have the same 
situation as we do today for the set of cross-site features that exist 
today (such as <img>) that will work with the same set of server 
configurations that exist today.

So I don't see the situation changing materially.

>> This can be both good and bad. The good part is that it gives sites a 
>> tool to easily block all third-party requests. The bad part is that it 
>> makes it harder to just block the most dangerous ones, i.e. ones where 
>> the requesting site can read the response.
> 
> The response is never revealed unless specified by the server.

Right. The concern that we tried to deal with was a site detecting that 
they were wrongly configured and and wanted to quickly deal with that. 
Another scenario is a server administrator on an intranet wanting to 
make sure that no-one accidentally enabled sharing to internet sites and 
thus leak private corporate data to the outside world.

One option is of course to shut down the whole server while figuring out 
how to fix the problem. However that could be a very undesirable, and 
doesn't work in the case of trying to protect intranet sites.

With Access-Control-Origin it is easy to block all cross-site requests 
where the requesting site can read the resulting data.

"Origin" is likely to in the future exist even for same-site requests, 
as well as other requests where the requesting site can not read the data.

/ Jonas

Received on Friday, 30 May 2008 21:05:39 UTC