Canmove, confirm
1,537
edits
Changes
→Changes from Previous Proposal (Origin)
Generally, the Sec-From header aims to provide a bit of context with HTTP requests so that servers may make educated decisions on whether or not to serve data, accept request data for state-changing transactions, or continue with a persistent session. This is accomplished by specifying a list of sites that indirectly caused a request (the redirect chain) and the immediate "Origin" of a request, or the entity that most recently caused the request to happen. This Origin may be a host name or the string "null" in the cases where a request may have been falsely or deceptively generated.
== Changes Design Path == === Advantage of more than one bit of data ===TODO: discuss why we decided this approach is better than just sending "OK" or "FAIL". === Selection of "null" token ===TODO: describe why we chose "null" instead of something like "redacted" or "private" or "fail". === Diversion from Previous Proposal (CORS Origin) header ===TODO: explain why we diverged from CORS. === Why not include a frame list? ===
There were a number of factors that caused this proposal to change from a model that helps prevent clickjacking to what is proposed here. An earlier proposal suggested providing the chain of frames as well as the origin of the request.
However, the '''chain of requests''' (i.e., redirects and referrer) that cause a document to load and the '''layout context''' in which a document will be rendered seem to be useful in different cases; the data points for "how you get something" versus "what you do with it" solve pretty orthogonal problems and we don't want to add complexity to Origin/Sec-From if it means a significant delay in adoption.
There are other features in the works that will hopefully fill the need for clickjacking prevention ([[Security/CSP|CSP]] for example).
=== Firewall-based Sec-From header scrubbing ===
TODO: Explain why and how admins of intranets may want to manipulate requests (setting to "null" instead of erasing) when forwarding outbound requests. Explain why removing is bad.
= Sec-From header format =
