Re: Do we need to rename the Origin header?

On Wed, Apr 8, 2009 at 10:09 PM, Bil Corry <bil@corry.biz> wrote:
> Using the above scenario, if Origin was populated and sent for all same-origin requests (including GET), the website could simply redirect any request for any protected resource that isn't same-origin.

Then no one could link to the site.  Virtually every site is going to
have some page that both wants to be world-linkable and has different
time characteristics for logged in / not logged in.  The Origin header
is useful for many things but not for defeating timing attacks.

Adam

Received on Thursday, 9 April 2009 05:37:38 UTC