Re: Origin enables XSS to escalate to XSRF

On Thu, 11 Jun 2009 13:35:57 +0200, Jonathan Rees  
<jar@creativecommons.org> wrote:
> I think this may be a foolish question, but is the value of Origin:
> limited to sites? Couldn't it be an individual web page (URI)? Or a
> wildcard? Is there some principled reason for such a limitation (if it
> exists)?
>
> I took a look at the HTML5 draft (cited by CORS) and couldn't quite
> figure this out.

The reason is that this does not reveal confidential path information and  
can therefore more often be included in the request than the Referer  
header. (Since we've learned that changing Referer might have been a  
possible approach too, but alas, implementations are shipping.)

The other reason is that most security decisions in Web browsers (and by  
extension, on the Web) are origin based. It is that restriction that this  
draft is trying to alleviate.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Thursday, 11 June 2009 11:52:11 UTC