- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 29 Sep 2008 16:40:54 -0400
On Mon, 29 Sep 2008 16:06:09 -0400, Adam Barth <whatwg at adambarth.com> wrote: > The current proposal is to sent the Origin header for non-GET, > non-HEAD requests. The main reason not to send the header all the > time is that it raises similar privacy concerns as the Referer header, > which have caused the Referer header to be suppressed a non-trivial > fraction of the time. > > Sending the Origin header more often is better for security, but it is > a gamble. If we decide to send it too often, users/network operators > will just suppress the header and we won't have improved the > situation. Sending the header for <form> POSTs seems like a clean > design point because sites don't POST to untrusted sites nearly as > often as they hyperlink to them. Hmm, we went through this before I believe. I thought the issue with Referer was that it exposed path information, but I guess the problem with Origin is that it reveals the intranet server name? On the other hand, for the not-link following case how common is it for intranet applications to load images and resources cross-site? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 29 September 2008 13:40:54 UTC