W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 30 Sep 2008 19:31:58 +0300
Message-ID: <0CDDDDAF-19C1-4929-AC1D-60E1DD438BE4@iki.fi>
On Sep 29, 2008, at 23:52, Adam Barth wrote:

> On Mon, Sep 29, 2008 at 1:40 PM, Anne van Kesteren  
> <annevk at opera.com> wrote:
>> I thought the issue with Referer
>> was that it exposed path information, but I guess the problem with  
>> Origin is
>> that it reveals the intranet server name?
>
> The query string and the path are probably the most privacy-sensitive.
> Yes, the concern is revealing the name of an intranet server.  Most
> names are probably innocuous (like www, hr, or wiki), but there are
> others that might be an issue (like secretproject).  It's hard for me
> to evaluate how concerning this privacy leak is.

This could be addressed by sending a cryptographic hash of the origin  
(using an algorithm that is commonly available in libraries used by  
server-side programmers).

-- 
Henri Sivonen
hsivonen at iki.fi
http://hsivonen.iki.fi/
Received on Tuesday, 30 September 2008 09:31:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC