- From: Adam Barth <whatwg@adambarth.com>
- Date: Sat, 29 Nov 2008 22:38:22 -0800
On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote: > Regarding the open issue -- it seems like whenever a cross-origin redirect > takes place, the origin of the redirecting site should be used, instead of > the original origin. (But the origin should survive same-origin redirects > unaffected.) That makes sense for CSRF mitigation, but it might not make sense for cross-site XMLHttpRequest. In that case, we'd like the header to identify which origin will get to read the response (i.e., the JavaScript context that initiated the request, not the redirector). > That would reduce the attack surface area to just the case of a hostile > site finding a redirect on a site trusted by the victim that redirects to > a victim site. Not sure if there's anything we can do about that case. Another possibility is to replace the Origin header with "null" if there is a cross-origin redirect. The idea in this design is that multiple origins have contributed to the request and the browser can't clearly disentangle them. This design should address the open-redirector case as well. Adam
Received on Saturday, 29 November 2008 22:38:22 UTC