Ian Hickson wrote on 1/13/2009 7:09 PM: > On Tue, 13 Jan 2009, Jonas Sicking wrote: >> It's not just POST that we need to worry about, ideally we should cover >> the GET case as well. Or at least it's quite likely that we will want >> to. > > My understanding was that we didn't want to include Origin in GET > requests. In fact HTML5 right now goes out of its way to avoid including > it in GET requests.
Presumably it's due to the concern raised by "Origin Header for CSRF Mitigation": ----- The Origin header also improves on the Referer header by NOT leaking intranet host names to external sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate GET requests. http://crypto.stanford.edu/websec/specs/origin-header/ ----- What would be more helpful though is if the Origin header is sent for any GET/HEAD requests that are sent back to the same domain; that way, the domain can confirm the request is coming from itself and it still avoids leaking intranet host names to external sites. - Bil
