On Fri, Aug 26, 2011 at 1:50 AM, Julian Reschke <[email protected]> wrote: > On 2011-08-26 10:12, Adam Barth wrote: >> >> [-public-web-security, to avoid cross-posting too much] >> >> On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke<[email protected]> >> wrote: >>> >>> On 2011-08-26 09:58, Adam Barth wrote: >>>> >>>> ... >>>> That could well be important if the Origin header is used in other >>>> protocols, such as CORS. Would you recommend requiring the first or >>>> the last instance? >>>> ... >>> >>> (cc'ing the IETF WG; I was replying to the wrong email thread) >>> >>> I think the right thing to do would be to recommend one of: >>> >>> - treat the message as invalid, or >>> >>> - ignore the header field (whatever that means...). >>> >>> Picking one of the two seems to be the wrong approach. >> >> Ok. Maybe the best solution is to treat the header as if it contained >> the value "null", which basically means the server doesn't know which >> origin sent the message. That what we recommend user agents do when >> they get confused about what value to put in the header. >> ... > > It just occurred to me that this will be hard to do in some cases. > > Intermediaries/middleware/libraries are allowed to collapse multiple headers > into a single one, so > > Origin: http://example.com > Origin: b > > would be combined to > > Origin: http://example.com,b > > The "," is allowed in reg-name, so you can't detect this as invalid.
Correct. That's why we forbid user agents from generating those requests. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
