HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
2525[Webkit] CSRF mitigation -- add Origin header to all non-GET requests.2008-12-02 11:26
@@ -5759,22 +5759,23 @@ http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20html%3E..
   started (that is, the page which <span
   title="navigate">navigated</span> the <span>browsing context</span>
   to the current document), or the empty string if there is no such
   originating page, or if the UA has been configured not to report
   referrers in this case, or if the navigation was initiated for a
   <span>hyperlink</span> with a <code
   title="rel-noreferrer">noreferrer</code> keyword.</p>
 
   <p class="note">In the case of HTTP, the <code
   title="dom-document-referrer">referrer</code> DOM attribute will
-  match the <code title="">Referer</code> (sic) header that was sent
-  when <span title="fetch">fetching</span> the current page.</p>
+  match the <code title="http-referer">Referer</code> (sic) header
+  that was sent when <span title="fetch">fetching</span> the current
+  page.</p>
 
   <p class="note">Typically user agents are configured to not report
   referrers in the case where the referrer uses an encrypted protocol
   and the current page does not (e.g. when navigating from an <code
   title="">https:</code> page to an <code title="">http:</code>
   page).</p>
 
   <hr>
 
   <p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
@@ -39561,22 +39562,23 @@ JSURL: http://ietfreport.isoc.org/all-ids/draft-hoehrmann-javascript-scheme-00.t
   the URLs themselves could contain confidential information. For
   example, the URL could be
   <code>http://www.corp.example.com/upcoming-aquisitions/the-sample-company.egf</code>,
   which might tell the third party that Example Corporation is
   intending to merge with The Sample Company. Implementors might wish
   to consider allowing administrators to disable this feature for
   certain subdomains, content types, or protocols.</p>
 
   <p><strong>Leaking secure URLs.</strong> User agents should not send
   HTTPS URLs to third-party sites registered as content handlers, in
-  the same way that user agents do not send <code>Referer</code>
-  headers from secure sites to third-party sites.</p>
+  the same way that user agents do not send <code
+  title="http-referer">Referer</code> headers from secure sites to
+  third-party sites.</p>
 
   <p><strong>Leaking credentials.</strong> User agents must never send
   username or password information in the URLs that are escaped and
   included sent to the handler sites. User agents may even avoid
   attempting to pass to Web-based handlers the URLs of resources
   that are known to require authentication to access, as such sites
   would be unable to access the resources in question without
   prompting the user for credentials themselves (a practice that would
   require the user to know whether to trust the third-party handler, a
   decision many users are unable to make or even understand).</p>
@@ -42024,51 +42026,82 @@ user reload must be equivalent to .reload()
     check if there are any <span title="relevant application
     cache">relevant application caches</span> that are identified by a
     URL with the <span>same origin</span> as the URL in question, and
     that have this URL as one of their entries, excluding entries
     marked as <span
     title="concept-appcache-foreign">foreign</span>. If so, then the
     user agent must then get the resource from the <span
     title="concept-appcache-selection">most appropriate application
     cache</span> of those that match.</p>
 
-    <p>Otherwise, <span>fetch</span> the new resource. If this results
-    in a redirect, return to <a href="#navigate-fragid-step">the step
-    labeled "fragment identifiers"</a> with the new resource.</p>
-
     <p class="example">For example, imagine an HTML page with an
     associated application cache displaying an image and a form, where
     the image is also used by several other application caches. If the
     user right-clicks on the image and chooses "View Image", then the
     user agent could decide to show the image from any of those
     caches, but it is likely that the most useful cache for the user
     would be the one that was used for the aforementioned HTML
     page. On the other hand, if the user submits the form, and the
     form does a POST submission, then the user agent will not use an
     application cache at all; the submission will be made to the
     network.</p>
 
+    <p>Otherwise, <span>fetch</span> the new resource. If the resource
+    is being fetched using HTTP, and the method is not GET<!-- or HEAD
+    (but that can't happen) -->, then the user agent must include an
+    <code title="http-origin">Origin</code> header whose value is
+    determined as follows:</p>
+
+    <dl class="switch">
+
+     <dt>If the <span title="navigate">navigation</span> algorithm has
+     so far contacted more than one <span>origin</span></dt>
+     <dt>If there is no <span>source browsing context</span></dt>
+
+     <dd>The value must be the string "<code title="">null</code>".</dd>
+
+     <dt>Otherwise</dt>
+
+     <dd>The value must be the <span title="ASCII serialization of an
+     origin">ASCII serialization</span> of the <span>origin</span> of
+     the <span>active document</span> of the <span>source browsing
+     context</span> at the time the navigation was started.</dd>
+
+    </dl>
+
    </li>
 
    <li>
 
     <p>If fetching the resource is synchronous (i.e. for <span
     title="javascript protocol"><code title="">javascript:</code>
     URLs</span> and <code>about:blank</code>), then this must be
     synchronous, but if fetching the resource depends on external
     resources, as it usually does for URLs that use HTTP or other
     networking protocols, then at this point the user agents must
     yield to whatever script invoked the navigation steps, if they
     were invoked by script.</p>
 
    </li>
 
+   <li>
+
+    <p>If fetching the resource results in a redirect, return to <a
+    href="#navigate-fragid-step">the step labeled "fragment
+    identifiers"</a> with the new resource.</p>
+
+    <p class="note">Cross-origin redirects cause the <code
+    title="http-origin">Origin</code> header to become "<code
+    title="">null</code>" on subsequent requests in the chain.</p>
+
+   </li>
+
    <li><p>Wait for one or more bytes to be available or for the user
    agent to establish that the resource in question is empty. During
    this time, the user agent may allow the user to cancel this
    navigation attempt or start other navigation attempts.</p></li>
 
    <li>
 
     <p>If the resource was not fetched from an <span>application
     cache</span>, and was to be fetched using HTTP GET <span
     title="concept-http-equivalent-get">or equivalent</span>, and its
@@ -44154,71 +44187,86 @@ interface <dfn>SQLStatementErrorCallback</dfn> {
   title="split the string on spaces">split that string on
   spaces</span>, <span title="resolve a url">resolve</span> each
   resulting token, and then should send a request (as described below)
   to each of the resulting <span title="absolute URL">absolute
   URLs</span>. (Tokens that fail to resolve are ignored.) This may be
   done in parallel with the primary request, and is independent of the
   result of that request.</p>
 
   <p>User agents should allow the user to adjust this behavior, for
   example in conjunction with a setting that disables the sending of
-  HTTP <code title="">Referer</code> headers. Based on the user's
-  preferences, UAs may either <span>ignore</span> the <code
+  HTTP <code title="http-referer">Referer</code> headers. Based on the
+  user's preferences, UAs may either <span>ignore</span> the <code
   title="attr-hyperlink-ping">ping</code> attribute altogether, or
   selectively ignore URLs in the list (e.g. ignoring any third-party
   URLs).</p>
 
   <p>For URLs that are HTTP URLs, the requests must be performed by
   <span title="fetch">fetching</span> the specified URLs using the
   POST method, with an entity body with the MIME type <code
   title="">text/ping</code> consisting of the four-character string
   "<code title="">PING</code>". All relevant cookie and HTTP
   authentication headers must be included in the request. Which other
   headers are required depends on the URLs involved.</p>
 
   <dl class="switch">
 
    <dt>If both the <span title="the document's address">address</span>
    of the <code>Document</code> object containing the hyperlink being
    audited and the ping URL have the <span>same origin</span></dt>
 
-   <dd>The request must include a <code title="">Ping-From</code> HTTP
-   header with, as its value, the <span title="the document's
-   address">address</span> of the document containing the hyperlink,
-   and a <code title="">Ping-To</code> HTTP header with, as its value,
+   <dd>The request must include a <code
+   title="http-ping-from">Ping-From</code> HTTP header with, as its
+   value, the <span title="the document's address">address</span> of
+   the document containing the hyperlink, and a <code
+   title="http-ping-to">Ping-To</code> HTTP header with, as its value,
    the address of the <span>absolute URL</span> of the target of the
    hyperlink. The request must not include a <code
-   title="">Referer</code> HTTP header. <!-- why not? --></dd>
+   title="http-referer">Referer</code> HTTP header. <!-- because
+   otherwise it would look like a trustable same-origin POST --></dd>
 
    <dt>Otherwise, if the origins are different, but the document
    containing the hyperlink being audited was not retrieved over an
-   encrypted connection</dt> <!-- why different? -->
+   encrypted connection</dt>
 
    <dd>The request must include a <code title="">Referer</code> HTTP
    header [sic] with, as its value, the <span title="the document's
    address">address</span> of the document containing the hyperlink, a
-   <code title="">Ping-From</code> HTTP header with the same value,
-   and a <code title="">Ping-To</code> HTTP header with, as its value,
-   the address of the target of the hyperlink.</dd>
+   <code title="http-ping-from">Ping-From</code> HTTP header with the
+   same value, and a <code title="http-ping-to">Ping-To</code> HTTP
+   header with, as its value, the address of the target of the
+   hyperlink.</dd>
 
    <dt>Otherwise, the origins are different and the document
    containing the hyperlink being audited was retrieved over an
    encrypted connection</dt>
 
-   <dd>The request must include a <code title="">Ping-To</code> HTTP
-   header with, as its value, the address of the target of the
-   hyperlink. The request must neither include a <code
-   title="">Referer</code> HTTP header nor include a <code
-   title="">Ping-From</code> HTTP header.</dd>
+   <dd>The request must include a <code
+   title="http-ping-to">Ping-To</code> HTTP header with, as its value,
+   the address of the target of the hyperlink. The request must
+   neither include a <code title="">Referer</code> HTTP header nor
+   include a <code title="http-ping-from">Ping-From</code> HTTP
+   header.</dd>
 
   </dl>
 
+  <p>In addition, an <code title="http-origin">Origin</code> header
+  must always be included, whose value is the <span title="ASCII
+  serialization of an origin">ASCII serialization</span> of the
+  <span>origin</span> of the the <code>Document</code> containing the
+  <span>hyperlink</span>. The value of the <code
+  title="http-origin">Origin</code> header must be set to "<code
+  title="">null</code>" when following redirects if the <span
+  title="origin">origins</span> of all the <span
+  title="URL">URLs</span> involved are not the <span title="same
+  origin">same</span>.</p>
+
   <p class="note">To save bandwidth, implementors might also wish to
   consider omitting optional headers such as <code>Accept</code> from
   these requests.</p>
 
   <p>User agents must, unless otherwise specified by the user, honor
   the HTTP headers (including, in particular, redirects and HTTP
   cookie headers), but must ignore any entity bodies returned in the
   responses. User agents may close the connection prematurely once
   they start receiving an entity body. <a
   href="#refsRFC2109">[RFC2109]</a> <a

|