- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Tue, 30 Sep 2008 19:25:11 +0200 (CEST)
On Tue, 30 Sep 2008, Adam Barth wrote: >> This could be addressed by sending a cryptographic hash of the origin (using >> an algorithm that is commonly available in libraries used by server-side >> programmers). > > Interesting idea. So you're suggesting something like: > Origin-SHA1: 4e13de73de2d1a1c350eb4ae429bb7b009a21a84 > > This sounds like it would work well if the site owner knew exactly all > the origins he was expecting, but it makes it difficult to enforce a > policy like "process this request if it came from a subdomain of > example.com." More importantly, since the dictionary of possible inputs is rather limited, it would be pretty trivial to build a dictionary of site <-> hash pairs and crack the values. May protect xyzzy2984.eur.int.example.com, but would still reveal to me you are coming from playboy.com. /mz
Received on Tuesday, 30 September 2008 10:25:11 UTC