[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Anne van Kesteren annevk at opera.com
Mon Sep 29 13:40:54 PDT 2008

On Mon, 29 Sep 2008 16:06:09 -0400, Adam Barth <whatwg at adambarth.com>  
> The current proposal is to sent the Origin header for non-GET,
> non-HEAD requests.  The main reason not to send the header all the
> time is that it raises similar privacy concerns as the Referer header,
> which have caused the Referer header to be suppressed a non-trivial
> fraction of the time.
> Sending the Origin header more often is better for security, but it is
> a gamble.  If we decide to send it too often, users/network operators
> will just suppress the header and we won't have improved the
> situation.  Sending the header for <form> POSTs seems like a clean
> design point because sites don't POST to untrusted sites nearly as
> often as they hyperlink to them.

Hmm, we went through this before I believe. I thought the issue with  
Referer was that it exposed path information, but I guess the problem with  
Origin is that it reveals the intranet server name? On the other hand, for  
the not-link following case how common is it for intranet applications to  
load images and resources cross-site?

Anne van Kesteren

More information about the whatwg mailing list