- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 30 Nov 2008 06:20:05 +0000 (UTC)
On Sat, 29 Nov 2008, Adam Barth wrote: > On Sat, Nov 29, 2008 at 8:13 PM, Ian Hickson <ian at hixie.ch> wrote: > > On Wed, 9 Jul 2008, Jonas Sicking wrote: > >> This way servers could be configured to reject all POST requests that > >> have an Origin header from a different site. > > > > I'm all in favour of doing this, but isn't this something that belongs > > in the HTTP spec rather than HTML5? > > I've taken the liberty of writing up a mini-spec for the proposal: > > http://crypto.stanford.edu/websec/specs/origin-header/ > > I'm not sure if the HTTP spec is the most appropriate place because the > spec has a dependency on HTML 5 to compute the ASCII serialization of > the origin. Well I don't mind putting it in HTML5 if that's where it has to be. Might be worth asking the HTTP WG for advice though. Regarding the open issue -- it seems like whenever a cross-origin redirect takes place, the origin of the redirecting site should be used, instead of the original origin. (But the origin should survive same-origin redirects unaffected.) That would reduce the attack surface area to just the case of a hostile site finding a redirect on a site trusted by the victim that redirects to a victim site. Not sure if there's anything we can do about that case. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 29 November 2008 22:20:05 UTC