On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > > > A hostile client can already do cross-site third party requests. > > But can the hostile client convincingly blame another site for the > request?
Yes, of course. The Referer header (which is what is currently used to determine who sent the request) can obviously be faked along with everything else. Referer-Root is only a subset of Referer -- it has the path information removed, so that we can include it without leaking privacy-critical information like account IDs which might be in the path or CGI parameters of the requesting page. > That's the new part. Referer-Root is not new. It's a subset of an existing header. > A hostile client can send a request that looks like it was sent by an > honest client and is the fault of the Referer-Root site. A hostile client can take a request from party A, change it, send it to party B, without ever involving evil party C. It can just _be_ the evil party. The only way around this is for parties A and B to use encryption or signing from the server side, without trusting the hostile client at all. This is the case both today, without Access-Control, and with any implementation of Access-Control that I can imagine. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
