Re: Origin

Fri, 30 May 2008 14:06:33 -0700 


Anne van Kesteren wrote:


On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:

If the header is simply named 'Origin' (or 'Referer-Root') then 
blocking any requests that include that header would also block for 
example cross-site image requests or cross-site POSTs.



Right. Given that it's likely we get extensions in the future that allow 
reading the contents of images (<img>.getImageData() or something) or 
the response of a <form> POST (some features in Web Forms 2.0 allow this 
as far as I can tell).



When these features are added we'll have to add some sort of opt-in 
mechanism from the server. Hopefully Access-Control.



However I don't see how that affects anything. We'll still have the same 
situation as we do today for the set of cross-site features that exist 
today (such as <img>) that will work with the same set of server 
configurations that exist today.


So I don't see the situation changing materially.


This can be both good and bad. The good part is that it gives sites a 
tool to easily block all third-party requests. The bad part is that it 
makes it harder to just block the most dangerous ones, i.e. ones where 
the requesting site can read the response.


The response is never revealed unless specified by the server.



Right. The concern that we tried to deal with was a site detecting that 
they were wrongly configured and and wanted to quickly deal with that. 
Another scenario is a server administrator on an intranet wanting to 
make sure that no-one accidentally enabled sharing to internet sites and 
thus leak private corporate data to the outside world.



One option is of course to shut down the whole server while figuring out 
how to fix the problem. However that could be a very undesirable, and 
doesn't work in the case of trying to protect intranet sites.



With Access-Control-Origin it is easy to block all cross-site requests 
where the requesting site can read the resulting data.



"Origin" is likely to in the future exist even for same-site requests, 
as well as other requests where the requesting site can not read the data.


/ Jonas


























					Reply via email to