On 2011-08-26 10:12, Adam Barth wrote:
[-public-web-security, to avoid cross-posting too much]
On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke<[email protected]> wrote:
On 2011-08-26 09:58, Adam Barth wrote:
...
That could well be important if the Origin header is used in other
protocols, such as CORS. Would you recommend requiring the first or
the last instance?
...
(cc'ing the IETF WG; I was replying to the wrong email thread)
I think the right thing to do would be to recommend one of:
- treat the message as invalid, or
- ignore the header field (whatever that means...).
Picking one of the two seems to be the wrong approach.
Ok. Maybe the best solution is to treat the header as if it contained
the value "null", which basically means the server doesn't know which
origin sent the message. That what we recommend user agents do when
they get confused about what value to put in the header.
...
It just occurred to me that this will be hard to do in some cases.
Intermediaries/middleware/libraries are allowed to collapse multiple
headers into a single one, so
Origin: http://example.com
Origin: b
would be combined to
Origin: http://example.com,b
The "," is allowed in reg-name, so you can't detect this as invalid.
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
