[+www-tag] I have received several private responses to my post, but oddly, nothing public yet. In these responses, I have been asked most frequently about:
On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erig...@google.com> wrote: > Why identify even same origin requests as cross-origin? Given that all > cross-origin requests are identified as such, then even without the normal > credentials, the mere absence of an origin header identifies the > requestor as being from the same origin. This is in fact a form of > credential. If the containing page does not consider the script in > question to speak for it, then it shouldn't be allowed to implicitly > claim (by the absence of an origin header) to be from the same origin. > Since malicious machines, or malicious applications running on trusted machines, can sent messages that aren't self-identified as cross origin, why do I suggest that lack of an origin header (in the absence of other credentials) might lead a server into granting more access than it would for messages self-identified as "Origin: null"? For servers reachable from the open internet, such server behavior would indeed be nonsensical. However, many servers are behind corporate firewalls and not reachable from the open internet. The premise firewalls rely on, whether sensible or not, is that all software running behind that firewall that can send arbitrary network messages are not malicious. Under this assumptions, browsers behind the firewall are assumed not to be malicious themselves, but of course may be running malicious scripts associated only with origins outside the firewall. These can of course cause their browser to initiate network messages to severs within the firewall, but only messages identified with browser-imposed headers. For messages not identified as cross origin, a server can assume that either the initiating program is non-malicious (because it is associated with the server's behind-the-firewall origin) or that the initiating program will not receive the results of the request. Under these admittedly fragile (but common) assumptions, a server may indeed "trust" a message that doesn't identify itself as cross origin more than it "trusts" one that does. Thus, a non malicious script that doesn't wish the sanitized scripts it loads to "speak for it" should force all the messages they initiate to be identified as "Origin: null". -- Cheers, --MarkM