[whatwg] Origin header and <form>s
Jonas Sicking
jonas at sicking.cc
Wed Jul 9 18:59:54 PDT 2008
Hi All,
The Access-Control spec [1] adds an 'Origin' header that is submitted
with all requests. I propose that we specify that <form> POSTs should do
the same. This would be a very powerful mechanism to prevent CSRF
attacks as it would allow CSRF prevention to happen in the server,
rather than in the application layer.
This way servers could be configured to reject all POST requests that
have an Origin header from a different site.
This wouldn't replace the normal CSRF protections sites need to do for
now, but eventually enough UAs implement this that servers can just
reject POSTs that doesn't have 'Origin' set. This would be especially
true if we can get this feature backported into old browsers (we'll
likely backport it to FF3).
/ Jonas
[1] http://dev.w3.org/2006/waf/access-control/
More information about the whatwg
mailing list