Re: Do we need to rename the Origin header?

I'm adding Sid, who has been editing the document:
https://wiki.mozilla.org/Security/Origin

As is mentioned in the first section of that document, the name of the
proposed header is subject to change.

Thanks,
Brandon


On 4/6/09 1:04 PM, Adam Barth wrote:
> On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <tlr@w3.org> wrote:
>> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and
>> send them here first?  I'm having a sense that much of what's needed right
>> now is for somebody to ask the right questions.
> 
> I'll let someone from Mozilla fill in the details, but the general
> idea is twofold:
> 
> 1) Enable CSRF mitigation for GET requests.
> 
> 2) Providing additional information in the header to help mitigate
> ClickJacking as well.
> 
> To achieve (1), the Mozilla proposal sends the header (let's call it
> Blame-List for easy of discussion) for some GET requests, depending on
> how the requests were generated.  For example, a hyperlink or an image
> would not send Blame-List, but a form submission would.
> 
> To achieve (2), the Blame-List contains not only the origin that
> initiated the request, but also the origin of all the ancestor frames.
>  For example, if attacker.com created an iframe to example.com, and
> the user clicked on the "buy" button inside of the example.com iframe,
> the header would look something like this:
> 
> Blame-List: http://example.com http://attacker.com
> 
> I believe Mozilla has fleshed out the details in a document somewhere.
> 
> Adam
> 

Received on Monday, 6 April 2009 20:34:59 UTC