- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 9 Jun 2009 13:47:32 -0700
- To: public-webapps <public-webapps@w3.org>
The Origin I-D says the following about redirects: """ If a user agent issues an HTTP request in reaction to an HTTP redirect, the Origin header MUST contain the same value as the Origin header in the HTTP request that generated the redirect. """ So if a page from Victim origin sends a request to Attacker origin which is redirected to a URL at Victim origin, the server at Victim origin receives a request with user credentials for Victim origin and an Origin header value for Victim origin. The Origin I-D says: "don't do that" at the end of section 6; meaning there's no way to send a request to another origin unless you have complete trust for it. That seems rather restrictive. Is there really no way to send a request to another origin without being vulnerable? Wasn't that the whole point of creating a mechanism to replace JSON-P? --Tyler
Received on Tuesday, 9 June 2009 20:48:09 UTC