On Jan 14, 2009, at 3:45 PM, Bil Corry wrote:


Adrian Bateman wrote on 1/14/2009 3:18 PM:
I actually don't think that the generic name is a problem as long as the CSRF solution uses a different name for a different meaning. The value really is an Origin and could potentially be used for more than just participation in the Access Control negotiation. It could still be meaningful in other scenarios in future which would otherwise now have to define a new header with
the same meaning.

I'm thinking out loud here, making sure I have the distinction between the two correct:

With Access Control, "Origin" represents the initial request, which survives through a redirect. So as Adrian points out, it really is an "Origin."

With CSRF mitigation, "Origin" represents the immediately-preceding request, which for obvious reasons does not survive through a redirect.


That's why I liked the idea of just including the chain of requests within Origin, you can then easily find the one you want. But since that isn't on the table, I'm attracted to renaming the CSRF Origin to something like "Request-Origin". Whatever name is chosen, it then has to be added to the XHR spec as a header that can not modified/created via XHR.

Given this behavior, it sounds to me like the Access Control related header is more deserving of the term "Origin", since it represents the true origin of the request. I am not sure what the other header could be called to make the difference clear. Perhaps "Redirect-Origin"? Why does the CSRF defense header need to change on redirect?

Regards,
Maciej


Reply via email to