Re: Do we need to rename the Origin header?

Ian Hickson wrote on 1/13/2009 7:09 PM: 
> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>> It's not just POST that we need to worry about, ideally we should cover 
>> the GET case as well. Or at least it's quite likely that we will want 
>> to.
> My understanding was that we didn't want to include Origin in GET 
> requests. In fact HTML5 right now goes out of its way to avoid including 
> it in GET requests.

Presumably it's due to the concern raised by "Origin Header for CSRF Mitigation":

The Origin header also improves on the Referer header by NOT leaking intranet host names to external sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate GET requests.

What would be more helpful though is if the Origin header is sent for any GET/HEAD requests that are sent back to the same domain; that way, the domain can confirm the request is coming from itself and it still avoids leaking intranet host names to external sites.

- Bil

Received on Wednesday, 14 January 2009 02:35:49 UTC