W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 11 Jun 2009 13:51:23 +0200
To: "Jonathan Rees" <jar@creativecommons.org>, "Adam Barth" <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uvcy7xak64w2qv@anne-van-kesterens-macbook.local>
On Thu, 11 Jun 2009 13:35:57 +0200, Jonathan Rees  
<jar@creativecommons.org> wrote:
> I think this may be a foolish question, but is the value of Origin:
> limited to sites? Couldn't it be an individual web page (URI)? Or a
> wildcard? Is there some principled reason for such a limitation (if it
> exists)?
> I took a look at the HTML5 draft (cited by CORS) and couldn't quite
> figure this out.

The reason is that this does not reveal confidential path information and  
can therefore more often be included in the request than the Referer  
header. (Since we've learned that changing Referer might have been a  
possible approach too, but alas, implementations are shipping.)

The other reason is that most security decisions in Web browsers (and by  
extension, on the Web) are origin based. It is that restriction that this  
draft is trying to alleviate.

Anne van Kesteren
Received on Thursday, 11 June 2009 11:52:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC