On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<[email protected]> wrote: >> Isn't your answer above only about client (user agent) behavior? I'd still >> like understand what the recommended/expected difference in server behavior >> should/might be depending of whether Origin is absent or null. Thanks. > > Suppose GuestXHR doesn't send an Origin header for any requests and a > server uses the algorithm in draft-abarth-origin to mitigate CSRF > attacks. Now, an attacker can mount a CSRF attack against the server.
Could you provide a bit more detail here? I don't understand how an attacker could mount a CSRF attack using GuestXHR, if there are no user credentials in a GuestXHR request. It seems to me that Origin is only about telling a server how to treat user credentials attached to a request. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
