I'm adding Sid, who has been editing the document: https://wiki.mozilla.org/Security/Origin
As is mentioned in the first section of that document, the name of the proposed header is subject to change. Thanks, Brandon On 4/6/09 1:04 PM, Adam Barth wrote: > On Mon, Apr 6, 2009 at 2:19 AM, Thomas Roessler <t...@w3.org> wrote: >> Perhaps it's worthwhile to summarize the Mozilla-internal discussions and >> send them here first? I'm having a sense that much of what's needed right >> now is for somebody to ask the right questions. > > I'll let someone from Mozilla fill in the details, but the general > idea is twofold: > > 1) Enable CSRF mitigation for GET requests. > > 2) Providing additional information in the header to help mitigate > ClickJacking as well. > > To achieve (1), the Mozilla proposal sends the header (let's call it > Blame-List for easy of discussion) for some GET requests, depending on > how the requests were generated. For example, a hyperlink or an image > would not send Blame-List, but a form submission would. > > To achieve (2), the Blame-List contains not only the origin that > initiated the request, but also the origin of all the ancestor frames. > For example, if attacker.com created an iframe to example.com, and > the user clicked on the "buy" button inside of the example.com iframe, > the header would look something like this: > > Blame-List: http://example.com http://attacker.com > > I believe Mozilla has fleshed out the details in a document somewhere. > > Adam >