canmove, Confirmed users
1,537
edits
Security/Origin: Difference between revisions
→When Sec-From is served (and when it is "null")
| Line 79: | Line 79: | ||
| YES || None || | | YES || None || | ||
|} | |} | ||
=== Privacy-Sensitive Contexts === | |||
To elaborate on the table above, in the [http://webblaze.cs.berkeley.edu/2009/origin/origin.txt Sec-From Internet Draft], it is stated that "null" must be sent as the value of Sec-From instead of origin data when the request is initiated from a privacy-sensitive context. Following are a list of privacy sensitive contexts: | |||
; Anchor Tag/hyperlink click : hyperlinks are common ways to jump from one site to another without trust. They should not be used to initiate state-changing procedures. | |||
; Window navigation : changing the location of a window is a common way to mimic a hyperlink click. | |||
; Image load (<img> tag) : third-party images are commonly embedded across origins and can be used as "web bugs" | |||
; Stylesheet : third-party stylesheets should not initiate state changing requests. | |||
; Dependent load in stylesheet : usually an image, protected for reasons like the image load mentioned above. | |||
Remaining contexts are not privacy sensitive and origin information should be transmitted in the Sec-From header. | |||
= Implementation = | = Implementation = | ||