[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Henri Sivonen
hsivonen at iki.fi
Tue Sep 30 09:31:58 PDT 2008
On Sep 29, 2008, at 23:52, Adam Barth wrote:
> On Mon, Sep 29, 2008 at 1:40 PM, Anne van Kesteren
> <annevk at opera.com> wrote:
>> I thought the issue with Referer
>> was that it exposed path information, but I guess the problem with
>> Origin is
>> that it reveals the intranet server name?
>
> The query string and the path are probably the most privacy-sensitive.
> Yes, the concern is revealing the name of an intranet server. Most
> names are probably innocuous (like www, hr, or wiki), but there are
> others that might be an issue (like secretproject). It's hard for me
> to evaluate how concerning this privacy leak is.
This could be addressed by sending a cryptographic hash of the origin
(using an algorithm that is commonly available in libraries used by
server-side programmers).
--
Henri Sivonen
hsivonen at iki.fi
http://hsivonen.iki.fi/
More information about the whatwg
mailing list