[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Adam Barth whatwg at adambarth.com
Mon Sep 29 13:06:09 PDT 2008

The current proposal is to sent the Origin header for non-GET,
non-HEAD requests.  The main reason not to send the header all the
time is that it raises similar privacy concerns as the Referer header,
which have caused the Referer header to be suppressed a non-trivial
fraction of the time.

Sending the Origin header more often is better for security, but it is
a gamble.  If we decide to send it too often, users/network operators
will just suppress the header and we won't have improved the
situation.  Sending the header for <form> POSTs seems like a clean
design point because sites don't POST to untrusted sites nearly as
often as they hyperlink to them.


On Mon, Sep 29, 2008 at 5:20 AM, Michal Zalewski <lcamtuf at dione.cc> wrote:
> On Mon, 29 Sep 2008, Anne van Kesteren wrote:
>> A cross-site XMLHttpRequest request would always include Origin. I haven't
>> really seen other specifications start using it yet, but I believe there are
>> some experimental implementations for including it in cross-site <form> POST
>> requests.
> Yup, I mean the non-XMLHttpRequest "Origin" header as proposed / implemented
> by Adam Barth and Collin Jackson for generic POSTs (though I might be not
> doing the implementation justice, so it's probably best for them to chime
> in).
> /mz

More information about the whatwg mailing list