Sending a `context` HTTP request header. from Mike West on 2014-08-18 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Aug 2014 09:45:59 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=e+Pzby7-o=KSa_G_DMp_x_cO7ntruvF1YVGELEKhy_JA@mail.gmail.com>

On the last call, we briefly discussed the idea of sending a `context` HTTP
request header containing the request context (
http://fetch.spec.whatwg.org/#concept-request-context) associated with the
request.

That is, a request generated from `<img src="/image.png">` would send
something like `Context: image`, while a request generated from `<script
src="/image.png"></script>` would send `Context: script`. This could
potentially help developers limit their exposure to certain kinds of attack
(e.g. a JSONP endpoint could reject non-"script" requests, which would
mitigate exposure to things like
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/).

I haven't thought through the impacts of such a header, but I'd like to
make sure the suggestion doesn't stay buried in the service worker thread.
:)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 18 August 2014 07:46:47 UTC