W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Frame Ancestors and Referrer (Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 24 Oct 2014 12:39:37 -0700
Message-ID: <CAPfop_3VQq7kM1R4kVCaEUosbsNO7NcE-98=R80ABzQvL_jRxQ@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Mike West <mkwst@google.com>, Sean Snider <ssnider@yahoo-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Today, both of these get leaked a lot; giving them a browser-supported
> way to minimize exposure sounds nice.

It is conceivable to design a system on the web where the name of the
origin is also a secret you want to keep. For example, imagine a
capability-based system that isolates based on whether or not you know
a secret value/token. Right now, these mostly rely on tokens in the
URL but no reason why they couldn't rely on these tokens in the domain
name and you want to keep those secret.* That is likely far more
secure since everywhere else the web security model is based on

Sean is right in that this is not very common or needed today, but
there is no reason not to have this option since attackers can already
rely on other tricks to hide data: URIs. I view this header as giving
that option to the "good folks" in a systematic manner.


* Although, the Origin header that some browsers send for all requests
messes this up a bit
Received on Friday, 24 October 2014 19:40:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC