Re: Do we need to rename the Origin header?

On Tue, Jan 13, 2009 at 7:31 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 13 Jan 2009 01:31:49 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>> My suggestion is to rename "Origin" to "Access-Control-Request-Origin"
>> or "Access-Control-Origin" if possible (depends on where current
>> implementers are in their ship schedule), or that we request that the
>> CSRF protection header be renamed to something other than "Origin".
>
> I'm fine with renaming it to Access-Control-Request-Origin as far as the
> Access Control draft is concerned.
>
> Maciej, Sam, Adam?

I agree with Thomas that having two headers that are the same in the
common case will lead to author confusion and server vulnerabilities.

One possibility is to change the Origin-header-for-CSRF-protection to
behave identically as the Origin-header-for-cross-site-XHR (i.e.,
don't set it to "null" on cross-origin redirects).  This would mean a
site couldn't use the header for CSRF protection if it generates POST
requests to untrusted sites.  I suspect this is fairly rare (although
I don't have hard numbers at my fingertips).

I don't think we should design the Origin-header-for-CSRF-protection
as the end-all, be-all CSRF defense.  Instead, we should optimize it
to be an easy-to-use defense that works well for 90% of sites.

Adam

Received on Tuesday, 13 January 2009 18:02:52 UTC