W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2008

[whatwg] Origin header and <form>s

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 18:59:54 -0700
Message-ID: <48756D1A.5010106@sicking.cc>
Hi All,

The Access-Control spec [1] adds an 'Origin' header that is submitted 
with all requests. I propose that we specify that <form> POSTs should do 
the same. This would be a very powerful mechanism to prevent CSRF 
attacks as it would allow CSRF prevention to happen in the server, 
rather than in the application layer.

This way servers could be configured to reject all POST requests that 
have an Origin header from a different site.

This wouldn't replace the normal CSRF protections sites need to do for 
now, but eventually enough UAs implement this that servers can just 
reject POSTs that doesn't have 'Origin' set. This would be especially 
true if we can get this feature backported into old browsers (we'll 
likely backport it to FF3).

/ Jonas

[1] http://dev.w3.org/2006/waf/access-control/
Received on Wednesday, 9 July 2008 18:59:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC