Adam Barth wrote on 4/7/2009 11:54 AM: > On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry <b...@corry.biz> wrote: >> Can we please include the Origin header for all same-origin requests, >> including GET and HEAD? Or is there a compelling reason why not do to so?
BTW, one reason to do this is to help deter timing attacks. Any request that arrives for the login page or a protected page that isn't same-origin can be redirected to a common landing page. >> Also, would there be value in having Origin sent for *all* requests, and if >> populating Origin is prohibited for that request (e.g. cross-origin GET), it >> sends "null" as the value? > > In order to make the Origin header a workable CSRF defense for GET, > we'd have to send "null" on cross-origin GET requests (otherwise the > attacker can suppress the header by making a GET request from another > origin). However, this is inconsistent with CORS. If a header similar to Mozilla's Origin were to be adopted by the major UAs, then as a webapp developer, I would never again look at Origin. Especially if the new header was sent with *all* requests (NULL where appropriate), included the redirect hosts, and was populated for same-origin requests. It would, in effect, render Origin obsolete. - Bil
