- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 12 Jan 2009 16:31:49 -0800
- To: public-webapps@w3.org
Hi all, There has been a lot of discussions lately in various forums about using an "Origin" header as a cross site request forgery (CSRF) protection mechanism. The idea has been to let the Origin header indicate who is causing the request, and can be used for sites to more easily see if the request is something that the site initiated itself, or if it comes from an untrusted third party and should be ignored. However, this is not how the 'Origin' header in Access-Control works. Here the "Origin" header refers to the origin of the site which is trying to read data. I.e. where any data returned is going to be sent (or in the case of the preflight request, which site you are authorizing to make a request). The two are different in the case of redirects. For example: Site A uses Access-Control to fetch a resource from site B using a normal GET request Site B redirects the request to site C. When the browser follows the redirect and makes the request to site C, Access-Control demands that the Origin is "A". However that doesn't make sense from a CSRF protection point of view since site B is the one deciding what request to perform to site C. Current HTML5 drafts say that on a redirect the "Origin" should be set to "null", which makes sense from a CSRF protection point of view, but makes it incompatible with "Origin" as defined by Access-Control. There are 3 possible solutions that I can see to this: 1. Change the name of the Origin header in Access-Control 2. Change the name of the Origin header used for CSRF protection 3. Change the behavior of one (or both) of the specs such that they match in behavior. My concern with doing 3 is that the CSRF protection part hasn't been fully ironed out yet, so if we were to tie Access-Control the the CSRF protection scheme then that might leave Access-Control in flux longer than we want. My suggestion is to rename "Origin" to "Access-Control-Request-Origin" or "Access-Control-Origin" if possible (depends on where current implementers are in their ship schedule), or that we request that the CSRF protection header be renamed to something other than "Origin". / Jonas
Received on Tuesday, 13 January 2009 00:32:24 UTC