W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 29 Sep 2008 16:40:54 -0400
Message-ID: <op.uh9fqgjs64w2qv@annevk-t60.oslo.opera.com>
On Mon, 29 Sep 2008 16:06:09 -0400, Adam Barth <whatwg at adambarth.com>  
wrote:
> The current proposal is to sent the Origin header for non-GET,
> non-HEAD requests.  The main reason not to send the header all the
> time is that it raises similar privacy concerns as the Referer header,
> which have caused the Referer header to be suppressed a non-trivial
> fraction of the time.
>
> Sending the Origin header more often is better for security, but it is
> a gamble.  If we decide to send it too often, users/network operators
> will just suppress the header and we won't have improved the
> situation.  Sending the header for <form> POSTs seems like a clean
> design point because sites don't POST to untrusted sites nearly as
> often as they hyperlink to them.

Hmm, we went through this before I believe. I thought the issue with  
Referer was that it exposed path information, but I guess the problem with  
Origin is that it reveals the intranet server name? On the other hand, for  
the not-link following case how common is it for intranet applications to  
load images and resources cross-site?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 29 September 2008 13:40:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC