- From: Bil Corry <bil@corry.biz>
- Date: Fri, 16 Jan 2009 11:02:38 -0600
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>
Maciej Stachowiak wrote on 1/15/2009 10:40 PM: > CONCLUSION: We should use a single Origin header with the name and > semantics of the Access-Control Origin header for both its > Access-Control purpose and for redirect defense. The differences in the > HTML5 version are not worth the cost of a very similar but subtly > different header. And if we ever find the attack in case 3 is more than > theoretical, we could add a 'Redirected-Via' header to provide full > information. Thank you for the extended explanation. I do now see your point, and agree it's probably the best course of action. It will, however, still leave open some odd side-effects from not identifying the redirect source, but maybe they're unlikely to be common. For example, Site A allows the users to specify a remote location for their avatar image; the user points to Site B, which in turn then redirects to Site C. Site C doesn't like its images being used remotely and checks the Origin header and identifies Site A. Site C then complains to Site A about the hotlinking; Site A checks it's avatar URLs and doesn't find Site C listed. So now you have Site C being hotlinked from Site A, but Site A has no way to discover how it's happening other than to crawl all outbound URLs. - Bil
Received on Friday, 16 January 2009 17:03:18 UTC