- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 06 Apr 2009 13:34:23 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>
I'm adding Sid, who has been editing the document: https://wiki.mozilla.org/Security/Origin As is mentioned in the first section of that document, the name of the proposed header is subject to change. Thanks, Brandon On 4/6/09 1:04 PM, Adam Barth wrote: > On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote: >> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and >> send them here first? I'm having a sense that much of what's needed right >> now is for somebody to ask the right questions. > > I'll let someone from Mozilla fill in the details, but the general > idea is twofold: > > 1) Enable CSRF mitigation for GET requests. > > 2) Providing additional information in the header to help mitigate > ClickJacking as well. > > To achieve (1), the Mozilla proposal sends the header (let's call it > Blame-List for easy of discussion) for some GET requests, depending on > how the requests were generated. For example, a hyperlink or an image > would not send Blame-List, but a form submission would. > > To achieve (2), the Blame-List contains not only the origin that > initiated the request, but also the origin of all the ancestor frames. > For example, if attacker.com created an iframe to example.com, and > the user clicked on the "buy" button inside of the example.com iframe, > the header would look something like this: > > Blame-List: http://example.com http://attacker.com > > I believe Mozilla has fleshed out the details in a document somewhere. > > Adam >
Received on Monday, 6 April 2009 20:34:59 UTC