On Sep 29, 2008, at 23:52, Adam Barth wrote:
On Mon, Sep 29, 2008 at 1:40 PM, Anne van Kesteren
<[EMAIL PROTECTED]> wrote:
I thought the issue with Referer
was that it exposed path information, but I guess the problem with
Origin is
that it reveals the intranet server name?
The query string and the path are probably the most privacy-sensitive.
Yes, the concern is revealing the name of an intranet server. Most
names are probably innocuous (like www, hr, or wiki), but there are
others that might be an issue (like secretproject). It's hard for me
to evaluate how concerning this privacy leak is.
This could be addressed by sending a cryptographic hash of the origin
(using an algorithm that is commonly available in libraries used by
server-side programmers).
--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/
