- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 6 Apr 2009 13:04:16 -0700
- To: Thomas Roessler <tlr@w3.org>
- Cc: Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote: > Perhaps it's worthwhile to summarize the Mozilla-internal discussions and > send them here first? I'm having a sense that much of what's needed right > now is for somebody to ask the right questions. I'll let someone from Mozilla fill in the details, but the general idea is twofold: 1) Enable CSRF mitigation for GET requests. 2) Providing additional information in the header to help mitigate ClickJacking as well. To achieve (1), the Mozilla proposal sends the header (let's call it Blame-List for easy of discussion) for some GET requests, depending on how the requests were generated. For example, a hyperlink or an image would not send Blame-List, but a form submission would. To achieve (2), the Blame-List contains not only the origin that initiated the request, but also the origin of all the ancestor frames. For example, if attacker.com created an iframe to example.com, and the user clicked on the "buy" button inside of the example.com iframe, the header would look something like this: Blame-List: http://example.com http://attacker.com I believe Mozilla has fleshed out the details in a document somewhere. Adam
Received on Monday, 6 April 2009 20:05:13 UTC