On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller <erig...@google.com> wrote: > [+www-tag] > > I have received several private responses to my post, but oddly, nothing > public yet. In these responses, I have been asked most frequently about:
Sorry for the lag in public comments. > On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erig...@google.com> wrote: > Since malicious machines, or malicious applications running on trusted > machines, can sent messages that aren't self-identified as cross origin, why > do I suggest that lack of an origin header (in the absence of other > credentials) might lead a server into granting more access than it would for > messages self-identified as "Origin: null"? > > For servers reachable from the open internet, such server behavior would > indeed be nonsensical. However, many servers are behind corporate firewalls > and not reachable from the open internet. The premise firewalls rely on, > whether sensible or not, is that all software running behind that firewall > that can send arbitrary network messages are not malicious. Under this > assumptions, browsers behind the firewall are assumed not to be malicious > themselves, but of course may be running malicious scripts associated only > with origins outside the firewall. These can of course cause their browser > to initiate network messages to severs within the firewall, but only > messages identified with browser-imposed headers. For messages not > identified as cross origin, a server can assume that either the initiating > program is non-malicious (because it is associated with the server's > behind-the-firewall origin) or that the initiating program will not receive > the results of the request. This seems like a lot of speculation. Do you have any evidence to support this hypothesis? > Under these admittedly fragile (but common) assumptions, a server may indeed > "trust" a message that doesn't identify itself as cross origin more than it > "trusts" one that does. Thus, a non malicious script that doesn't wish the > sanitized scripts it loads to "speak for it" should force all the messages > they initiate to be identified as "Origin: null". If this were the case, we'd have this same problem with Referer, postMessage, Origin-for-CORS, and numerous other web technologies. Adam