Maciej Stachowiak wrote on 1/15/2009 10:40 PM:
CONCLUSION: We should use a single Origin header with the name and
semantics of the Access-Control Origin header for both its
Access-Control purpose and for redirect defense. The differences in the
HTML5 version are not worth the cost of a very
On Jan 16, 2009, at 9:02 AM, Bil Corry wrote:
Maciej Stachowiak wrote on 1/15/2009 10:40 PM:
CONCLUSION: We should use a single Origin header with the name and
semantics of the Access-Control Origin header for both its
Access-Control purpose and for redirect defense. The differences in
Maciej Stachowiak wrote on 1/16/2009 4:40 PM:
Such hotlinking is probably using a GET request, so no Origin header
would be sent. I believe it is also outside the scope of the CSRF
protection and cross-origin data sharing goals of Origin. The Referer
header is still usable for hotlinking
Maciej Stachowiak wrote on 1/15/2009 12:47 AM:
So one thing to keep in mind is that any POST-based form would not be
vulnerable to this kind of attack unless the victim site actually
submits a form to an untrusted site. There is no way for a GET request
to be redirected to a POST, and it
On Jan 15, 2009, at 7:24 AM, Bil Corry wrote:
Maciej Stachowiak wrote on 1/15/2009 12:47 AM:
So one thing to keep in mind is that any POST-based form would not be
vulnerable to this kind of attack unless the victim site actually
submits a form to an untrusted site. There is no way for a GET
Hixie said the position I expressed was a little unclear, so I'd like
to clarify briefly:
1) FACT: The HTML5 version of the CSRF-defense header (currently
called 'XXX-Origin' as a temporary measure) is specified not to be
sent for GET requests.
1.a) FACT: As a result, it does not
On Wed, 14 Jan 2009 19:53:42 +0100, Jonas Sicking jo...@sicking.cc wrote:
What do other people think?
If we really think they should be different (and at least Adam Barth
suggests that might not be needed) I would really like to rename this
header to make it consistent with the rest of
On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry b...@corry.biz wrote:
Jonas Sicking wrote on 1/14/2009 12:53 PM:
The problem I think is that the current name, 'Origin', is extremely
generic and so it's likely to cause confusion once we get other
headers containing origins.
That said, I do
On Wed, Jan 14, 2009 at 11:45 AM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry b...@corry.biz wrote:
Jonas Sicking wrote on 1/14/2009 12:53 PM:
The problem I think is that the current name, 'Origin', is extremely
generic and so it's likely to
On January 14, 2009 11:45 AM, Anne van Kesteren [mailto:ann...@opera.com] wrote:
On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry b...@corry.biz wrote:
Jonas Sicking wrote on 1/14/2009 12:53 PM:
The problem I think is that the current name, 'Origin', is extremely
generic and so it's likely to
On Jan 14, 2009, at 3:45 PM, Bil Corry wrote:
Adrian Bateman wrote on 1/14/2009 3:18 PM:
I actually don't think that the generic name is a problem as long
as the
CSRF solution uses a different name for a different meaning. The
value really
is an Origin and could potentially be used for
On Jan 14, 2009, at 5:32 PM, Bil Corry wrote:
Maciej Stachowiak wrote on 1/14/2009 6:14 PM:
Why does the CSRF defense header need to change on redirect?
Because to the site on the far end, it would appear the request came
from somewhere it didn't, effectively hiding the real source of
12 matches
Mail list logo
