- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 24 Oct 2014 12:39:37 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Mike West <mkwst@google.com>, Sean Snider <ssnider@yahoo-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Today, both of these get leaked a lot; giving them a browser-supported > way to minimize exposure sounds nice. It is conceivable to design a system on the web where the name of the origin is also a secret you want to keep. For example, imagine a capability-based system that isolates based on whether or not you know a secret value/token. Right now, these mostly rely on tokens in the URL but no reason why they couldn't rely on these tokens in the domain name and you want to keep those secret.* That is likely far more secure since everywhere else the web security model is based on origins. Sean is right in that this is not very common or needed today, but there is no reason not to have this option since attackers can already rely on other tricks to hide data: URIs. I view this header as giving that option to the "good folks" in a systematic manner. cheers Dev * Although, the Origin header that some browsers send for all requests messes this up a bit
Received on Friday, 24 October 2014 19:40:24 UTC