- From: Adam Barth <whatwg@adambarth.com>
- Date: Tue, 30 Sep 2008 09:55:15 -0700
On Tue, Sep 30, 2008 at 9:31 AM, Henri Sivonen <hsivonen at iki.fi> wrote: > This could be addressed by sending a cryptographic hash of the origin (using > an algorithm that is commonly available in libraries used by server-side > programmers). Interesting idea. So you're suggesting something like: Origin-SHA1: 4e13de73de2d1a1c350eb4ae429bb7b009a21a84 This sounds like it would work well if the site owner knew exactly all the origins he was expecting, but it makes it difficult to enforce a policy like "process this request if it came from a subdomain of example.com." Also, as a server operator, if I start getting a bunch of requests with a new origin hash, I'd have to guess whether this was an attack or another service on my network that I forgot about. (Traffic volumes might be a good clue about this.) Adam
Received on Tuesday, 30 September 2008 09:55:15 UTC