- From: Bil Corry <bil@corry.biz>
- Date: Tue, 13 Jan 2009 20:35:02 -0600
- To: Ian Hickson <ian@hixie.ch>
- CC: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Ian Hickson wrote on 1/13/2009 7:09 PM: > On Tue, 13 Jan 2009, Jonas Sicking wrote: >> It's not just POST that we need to worry about, ideally we should cover >> the GET case as well. Or at least it's quite likely that we will want >> to. > > My understanding was that we didn't want to include Origin in GET > requests. In fact HTML5 right now goes out of its way to avoid including > it in GET requests. Presumably it's due to the concern raised by "Origin Header for CSRF Mitigation": ----- The Origin header also improves on the Referer header by NOT leaking intranet host names to external sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate GET requests. http://crypto.stanford.edu/websec/specs/origin-header/ ----- What would be more helpful though is if the Origin header is sent for any GET/HEAD requests that are sent back to the same domain; that way, the domain can confirm the request is coming from itself and it still avoids leaking intranet host names to external sites. - Bil
Received on Wednesday, 14 January 2009 02:35:49 UTC