[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Collin Jackson w3c at collinjackson.com
Thu Sep 25 13:46:19 PDT 2008

On Thu, Sep 25, 2008 at 1:46 PM, Michal Zalewski <lcamtuf at dione.cc> wrote:
>> 7) New HTTP request header: Browser vendors seem to be moving away from
>> "same origin restrictions" towards "verifiable origin labels" that let the
>> site decide whether two security origins trust each other.  Recent examples
>> of this are MessageEvent's "origin" property [1], postMessage's
>> "targetOrigin" argument [2], and the HTTP "Origin" header [3] [4] [5]. We
>> can adjust proposal (1) to conform to this philosophy: instead of making it
>> an "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" HTTP response header,
>> make it an "X-Ancestor-Frame-Origin: http://www.evil.com" HTTP request
>> header.
> Oh yup, I wanted to capture this possibility in #5; it's a noble long-term
> goal, but with the conflicting proposals from Microsoft, Mozilla developers,
> and several other parties, and the high complexity of getting these
> mechanisms right - I am not sure it's a viable solution for the next few
> years. Maybe in 5-10, it would be a reality.

I would actually expect #7 would be the easiest to standardize of all
the proposals. The three examples (origin, targetOrigin, and Origin)
have all been adopted by every major browser vendor (including
Microsoft) within the past year.


More information about the whatwg mailing list