- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 22 Jun 2008 03:51:57 +0200
- To: "Collin Jackson" <w3c@collinjackson.com>
- Cc: "Adam Barth" <public-webapi@adambarth.com>, public-webapps@w3.org
* Collin Jackson wrote: >The advantage of the Origin header is that it provides sites with >functionality that can't already be emulated with XMLHttpRequest: it >allows them to distinguish trusted (sub)domains from completely >untrusted domains. The stated goal was to balance easy protection against session riding attacks without compromising privacy too much. Allowing session riding via some sites but not others is something that cannot be done securely today without major effort as whatever information is used to tell good requests apart from bad requests may either be absent or faked. That'll remain so until any browser that does not set the header can be blocked. I would hope that at that point, other means of cross site and document communication are more attractive to developers than what is currently not affected by same-origin restrictions, and hope that new ways of by- passing the same-origin restrictions will not rely on the Origin header alone, so I don't think there is any real advantage. Perhaps I'm missing something? I'm ignoring that the "AC" draft now also has a header named "Origin" as that is a more recent development. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 22 June 2008 01:52:36 UTC