On Tue, 30 Sep 2008, Adam Barth wrote:
This could be addressed by sending a cryptographic hash of the origin (using
an algorithm that is commonly available in libraries used by server-side
programmers).
Interesting idea. So you're suggesting something like:
Origin-SHA1: 4e13de73de2d1a1c350eb4ae429bb7b009a21a84
This sounds like it would work well if the site owner knew exactly all
the origins he was expecting, but it makes it difficult to enforce a
policy like "process this request if it came from a subdomain of
example.com."
More importantly, since the dictionary of possible inputs is rather
limited, it would be pretty trivial to build a dictionary of site <-> hash
pairs and crack the values. May protect xyzzy2984.eur.int.example.com, but
would still reveal to me you are coming from playboy.com.
/mz