[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Anne van Kesteren annevk at opera.com
Sun Sep 28 22:58:17 PDT 2008

On Mon, 29 Sep 2008 13:41:59 +0200, Michal Zalewski <lcamtuf at dione.cc>  
> Note that the current implementation proposals for "Origin" headers  
> (which I believe are limited to non-GET, non-HEAD requests) would not  
> prevent this attack, nor some other potential attack vectors; they would  
> probably need to be modified to include "Origin" header on SRC= GET  
> requests on IFRAME / EMBED / OBJECT / APPLET.

A cross-site XMLHttpRequest request would always include Origin. I haven't  
really seen other specifications start using it yet, but I believe there  
are some experimental implementations for including it in cross-site  
<form> POST requests.

Anne van Kesteren

More information about the whatwg mailing list