W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] CSRFs and Origin header and <form>s

From: Adam Barth <whatwg@adambarth.com>
Date: Sat, 29 Nov 2008 22:04:08 -0800
Message-ID: <7789133a0811292204m3f0c04cfnd05c91f9f2d7489b@mail.gmail.com>
On Sat, Nov 29, 2008 at 8:13 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Wed, 9 Jul 2008, Jonas Sicking wrote:
>> This way servers could be configured to reject all POST requests that
>> have an Origin header from a different site.
>
> I'm all in favour of doing this, but isn't this something that belongs in
> the HTTP spec rather than HTML5?

I've taken the liberty of writing up a mini-spec for the proposal:

http://crypto.stanford.edu/websec/specs/origin-header/

I'm not sure if the HTTP spec is the most appropriate place because
the spec has a dependency on HTML 5 to compute the ASCII serialization
of the origin.

Adam
Received on Saturday, 29 November 2008 22:04:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC