On Mon, 29 Sep 2008 16:06:09 -0400, Adam Barth <[EMAIL PROTECTED]>
wrote:
The current proposal is to sent the Origin header for non-GET,
non-HEAD requests. The main reason not to send the header all the
time is that it raises similar privacy concerns as the Referer header,
which have caused the Referer header to be suppressed a non-trivial
fraction of the time.
Sending the Origin header more often is better for security, but it is
a gamble. If we decide to send it too often, users/network operators
will just suppress the header and we won't have improved the
situation. Sending the header for <form> POSTs seems like a clean
design point because sites don't POST to untrusted sites nearly as
often as they hyperlink to them.
Hmm, we went through this before I believe. I thought the issue with
Referer was that it exposed path information, but I guess the problem with
Origin is that it reveals the intranet server name? On the other hand, for
the not-link following case how common is it for intranet applications to
load images and resources cross-site?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
