ACTION-46: Update CORS Origin header behavior in case of HTTP redirect
Update CORS Origin header behavior in case of HTTP redirect
- State:
- closed
- Person:
- Anne van Kesteren
- Due on:
- February 14, 2012
- Created on:
- February 1, 2012
- Related emails:
- No related emails
Related notes:
With regard to HTTP redirects and the Origin header, RFC 6454 states:
"When included in an HTTP request, the Origin header field indicates the origin(s) that "caused" the user agent to issue the request, as defined by the API that triggered the user agent to issue the request."
This gives each API the responsibility to set its own processing rules for the value of Origin: in the event of a redirect. However, CORS says:
"6.1.3. Source Origin
The source origin is the initial origin that user agents must use for the Origin header. In case of redirects the user agents must follow the requirements set forth in the specification for that header."
This is a circular reference. CORS should specify the behavior implemented by user agents of returning "null" when redirects would cause a change in the host portion of origin, as, e.g. WebKit:
"The Origin header is only sent when requesting the specified URI. If the cross-origin request returns a redirect to a different URI, when fetching the subsequent location or locations, the Origin header is set to null and the Referer header field is set to the previous location in the redirect chain."
http://developer.apple.com/library/safari/#documentation/appleapplications/Conceptual/SafariJSProgTopics/Articles/XHR.html
or Firefox:
"Before honoring redirect, append current origin to end of Origin value (unless the last origin in the header is equal to the current origin, then do not modify its value). Set entire header value to "null" if redirect crosses FQDN boundaries or if initial value is "null"."
https://wiki.mozilla.org/Security/Origin
This is necessary to prevent reflection vulnerabilities in which the target of an XHR causes a redirect back to the origin making the request.
Please file a bug next time.
Anne van Kesteren, 14 Feb 2012, 16:57:06Display change log.