On 07/09/2009 03:05 PM, EricLaw wrote: >>> It seems natural that a subdownload should be able to say e.g. >>> Content- Security-Policy: callers <originlist> >> That's not too far off from what frame-ancestors does (which was >> also a scope-creep). Could they be combined in some way? >> >> I'd like something like that, but won't concerned sites want to >> enforce it server-side? A reliable Referer, or the Origin/Sec-From >> header would seem more useful there. > > Some might, but that basically requires the server to send Vary: > Origin or Vary: Sec-From for all resources returned. This seems like > it could potentially impair performance for otherwise cacheable > resources.
I don't see why servers need to send Vary: Sec-From for all resources returned. Can't they just send it for the resources that they don't want cached? You mentioned that there are legacy IE bugs that would be problematic for sending Vary: Sec-From. In the article you posted it says: > Internet Explorer 6 will treat a response with a Vary header as > completely uncacheable... This seems like a problem of underutilizing browser caching but it doesn't seem to break the Sec-From model where each request is validated by the server using the context supplied in Sec-From. If an extra request is generated, it will be validated by the server in the same way as the original request. Plus, this is assuming that Microsoft even plans to implement Sec-From in IE 6/7. Are there other problems that you see in the Sec-From model? It addresses both CSRF and the bandwidth-stealing issue you raised. I'm personally a strong supporter. Cheers, Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
