[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Henri Sivonen hsivonen at iki.fi
Tue Sep 30 09:31:58 PDT 2008


On Sep 29, 2008, at 23:52, Adam Barth wrote:

> On Mon, Sep 29, 2008 at 1:40 PM, Anne van Kesteren  
> <annevk at opera.com> wrote:
>> I thought the issue with Referer
>> was that it exposed path information, but I guess the problem with  
>> Origin is
>> that it reveals the intranet server name?
>
> The query string and the path are probably the most privacy-sensitive.
> Yes, the concern is revealing the name of an intranet server.  Most
> names are probably innocuous (like www, hr, or wiki), but there are
> others that might be an issue (like secretproject).  It's hard for me
> to evaluate how concerning this privacy leak is.

This could be addressed by sending a cryptographic hash of the origin  
(using an algorithm that is commonly available in libraries used by  
server-side programmers).

-- 
Henri Sivonen
hsivonen at iki.fi
http://hsivonen.iki.fi/





More information about the whatwg mailing list