On Fri, Jun 12, 2009 at 7:17 PM, Mark S. Miller<[email protected]> wrote: > On Fri, Jun 12, 2009 at 7:03 PM, Adam Barth <[email protected]> wrote: >> >> > What server side behavior difference do you expect between messages with >> > no Origin and messages with "Origin: null". >> >> You'll have to include Origin: null for POST requests. You should >> include it for GET as well. > > Does "have to" == "MUST"?
That's what's required (at the MUST level) by draft-abarth-origin. > On credential-free GET, why "should" rather than "MUST"? Because draft-abarth-origin doesn't require it at the MUST level. > Isn't your answer above only about client (user agent) behavior? I'd still > like understand what the recommended/expected difference in server behavior > should/might be depending of whether Origin is absent or null. Thanks. Suppose GuestXHR doesn't send an Origin header for any requests and a server uses the algorithm in draft-abarth-origin to mitigate CSRF attacks. Now, an attacker can mount a CSRF attack against the server. Adam
