index.html 16.1 KB

Raw Blame History Permalink

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html lang="en-US"><head>
  <meta content="text/html;charset=UTF-8" http-equiv="content-type">
  <title>The From-Origin Header</title>
  <style type="text/css">
   pre.idl { border:solid thin; background:#eee; color:#000; padding:0.5em }
   pre.idl :link, pre.idl :visited { color:inherit; background:transparent }
   pre code { color:inherit; background:transparent }
   div.example { margin-left:1em; padding-left:1em; border-left:double; color:#222; background:#fcfcfc }
   .note { margin-left:2em; font-weight:bold; font-style:italic; color:#008000 }
   p.note::before { content:"Note: " }
   .XXX { padding:.5em; border:solid #f00 }
   p.XXX::before { content:"Issue: " }
   dl.switch { padding-left:2em }
   dl.switch > dt { text-indent:-1.5em }
   dl.switch > dt:before { content:'\21AA'; padding:0 0.5em 0 0; display:inline-block; width:1em; text-align:right; line-height:0.5em }
   dl.domintro { color: green; margin: 2em 0 2em 2em; padding: 0.5em 1em; border: none; background: #DDFFDD; }
   dl.domintro dt, dl.domintro dt * { color: black; text-decoration: none; }
   dl.domintro dd { margin: 0.5em 0 1em 2em; padding: 0; }
   dl.domintro dd p { margin: 0.5em 0; }
   dl.domintro:before { display: table; margin: -1em -0.5em -0.5em auto; width: auto; content: 'This box is non-normative. Implementation requirements are given below this box.'; color: red; border: solid 2px; background: white; padding: 0 0.25em; }
   em.ct { text-transform:lowercase; font-variant:small-caps; font-style:normal }
   dfn { font-weight:bold; font-style:normal }
   code { color:orangered }
   code :link, code :visited { color:inherit }
   hr:not(.top) { display:block; background:none; border:none; padding:0; margin:2em 0; height:auto }
   table { border-collapse:collapse; border-style:hidden hidden none hidden }
   table thead { border-bottom:solid }
   table tbody th:first-child { border-left:solid }
   table td, table th { border-left:solid; border-right:solid; border-bottom:solid thin; vertical-align:top; padding:0.2em }

   .warning { color: red; background: transparent; font-weight: bolder; font-style: italic; }
   .warning p:first-child { margin-top: 0; }
   .warning p:last-child { margin-bottom: 0; }
   .warning:before { font-style: normal; }
   p.warning:before { content: '\26A0 Warning! '; }

   @media print {
     [data-anolis-spec]::after { content:"[" attr(data-anolis-spec) "]"; font-size:.6em; vertical-align:super; text-transform:uppercase }
   }
  </style>
  <link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet">
 </head>
 <body>

<div class="head">

<!--begin-logo-->
<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>
<!--end-logo-->
 <h1>The From-Origin Header</h1>
 <h2 class="no-num no-toc" id="w3c-working-draft-21-july-2011">W3C Working Draft 21 July 2011</h2>

 <dl>
  <dt>This Version:
  <dd class="publish"><a href="http://www.w3.org/TR/2011/WD-from-origin-20110721/">http://www.w3.org/TR/2011/WD-from-origin-20110721/</a>

  <dt class="publish">Latest Version:
  <dd class="publish"><a href="http://www.w3.org/TR/from-origin/">http://www.w3.org/TR/from-origin/</a>

  <dt class="publish">Latest Editor's Draft:
  <dd class="publish"><a href="http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html">http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html</a>

<!--
  <dt>Previous Versions:
  <dd><a href=""></a>
-->

  <dt>Editor:
  <dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a>
    (<a href="http://www.opera.com/">Opera Software ASA</a>)
    &lt;<a href="mailto:annevk@opera.com">annevk@opera.com</a>&gt;
 </dl>

<!--begin-copyright-->
<p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> &copy; 2011 <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>&reg;</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p>
<!--end-copyright-->
</div>

<hr class="top">

<h2 class="no-num no-toc" id="abstract">Abstract</h2>
<p>The From-Origin Header specification defines the
<code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> response header &mdash; a way for
resources to declare they are unavailable within an embedding context.


<h2 class="no-num no-toc" id="sotd">Status of this Document</h2>
<p><i>This section describes the status of this document at the time of its
publication. Other documents may supersede this document. A list of current W3C
publications and the latest revision of this technical report can be found in
the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at
http://www.w3.org/TR/.</i>

<p>This is the 21 July 2011 First Public Working Draft <!--W3C Working Draft--> of The From-Origin Header. Please send comments to
<a href="mailto:public-webapps@w3.org?subject=%5Bfrom-origin%5D%20">public-webapps@w3.org</a>
(<a href="http://lists.w3.org/Archives/Public/public-webapps/">archived</a>)
with <samp>[from-origin]</samp> at the start of the subject line.

<p>This document is produced by the
<a href="http://www.w3.org/2008/webapps/">Web Applications</a> (WebApps) Working
Group. The WebApps Working Group is part of the
<a href="http://www.w3.org/2006/rwc/Activity">Rich Web Clients Activity</a> in
the W3C <a href="http://www.w3.org/Interaction/">Interaction Domain</a>.

<p>The contents of this document do not necessarily reflect the consensus of
the Working Group.</p>

<p>This document was produced by a group operating under the
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004
W3C Patent Policy</a>. W3C maintains a
<a href="http://www.w3.org/2004/01/pp-impl/42538/status" rel="disclosure">public
list of any patent disclosures</a> made in connection with the deliverables of
the group; that page also includes instructions for disclosing a patent. An
individual who has actual knowledge of a patent which the individual believes
contains
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
Claim(s)</a> must disclose the information in accordance with
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
6 of the W3C Patent Policy</a>.

<p>Publication as a Working Draft does not imply endorsement by the W3C
Membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite this
document as other than work in progress.


<h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>

<!--begin-toc-->
<ol class="toc">
 <li><a href="#conformance"><span class="secno">1 </span>Conformance</a></li>
 <li><a href="#terminology"><span class="secno">2 </span>Terminology</a></li>
 <li><a href="#introduction"><span class="secno">3 </span>Introduction</a></li>
 <li><a href="#from-origin-response-header"><span class="secno">4 </span><code title="">From-Origin</code> Response Header</a></li>
 <li><a class="no-num" href="#references">References</a>
  <ol class="toc">
   <li><a class="no-num" href="#normative-references">Normative references</a></ol></li>
 <li><a class="no-num" href="#acknowledgements">Acknowledgements</a></ol>
<!--end-toc-->


<h2 id="conformance"><span class="secno">1 </span>Conformance</h2>
<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this document are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a>


<h2 id="terminology"><span class="secno">2 </span>Terminology</h2>

<p>The terminology used in this specification is from <cite>HTML</cite> and
<cite>The Web Origin Concept</cite>
<a href="#refsHTML">[HTML]</a>
<a href="#refsORIGIN">[ORIGIN]</a>


<h2 id="introduction"><span class="secno">3 </span>Introduction</h2>

<!-- http://tools.ietf.org/html/draft-abarth-principles-of-origin -->

<p>The Web platform has no limitations on embedding resources from different
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a> currently. E.g. an
HTML document on <code>http://example.org</code> can embed an image from
<code>http://corp.invalid</code> without issue. This has led to a number of
problems:</p>

<ul>
 <li>Bandwidth "theft" &mdash; the practice of embedding resources (e.g. images or
 fonts) from another server causing the owner of that server to get a higher
 hosting bill.

 <li>Clickjacking &mdash; embedding a resource from another
 <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> and attempting to let the
 visitor click on a concealed link thereof, causing harm to the visitor.

 <li>Privacy leakage &mdash; sometimes resource availability depends on whether a visitor is signed in to a particular website. E.g. only with a I'm-signed-in-cookie will an image be returned, otherwise an HTML document.  An HTML document embedding a resource (requested with the user's credentials) can figure out the existence of that resource and thus whether the visitor is signed in and therefore has an account with a particular service.

 <li>License checking &mdash; certain font licenses require that the font be
 prevented from being embedded on other
 <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a>.
</ul>

<p>This specification attempts to tackle these problems to some extent.

<p>Privacy leakage can however still be a problem if the resource in question has different latency characteristics depending on the I'm-signed-in-cookie being present.</p>

<!--
http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html
http://abortz.net/papers/timingweb.pdf

If the server has different latency characteristics depending on
whether the user is signed in, an attacker can still learn something
about the user's signed-in state even if the server uses From-Origin.
-->

<p class="XXX">Should we try to phase out
<code title="http-x-frame-options">X-Frame-Options</code> and replace it with
this header or extend
<code title="http-x-frame-options">X-Frame-Options</code> to cover the cases
addressed by <code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code>?


<h2 id="from-origin-response-header"><span class="secno">4 </span><code title="">From-Origin</code> Response Header</h2>


<p>The <dfn id="http-from-origin" title="http-from-origin"><code>From-Origin</code></dfn> header can
be used to restrict embedding of a resource to only certain
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a>. When used it must
match the following ABNF:</p>

<pre>From-Origin = "From-Origin" ":" #(<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin##section-7.1">serialized-origin</a> | "same")</pre>

<p>The ABNF used is defined by HTTP. <a href="#refsHTTP">[HTTP]</a>

<p>When a resource is <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>
these steps must be run in addition to the steps that are being run for
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> the resource. They
must be run as if they were part of the
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> algorithm's
<i>main step</i> and if a network error is to be returned rather than a
resource the <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a>
algorithm must be terminated meaning e.g. cookies will not be updated. If
this algorithm ends for other reasons
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> must proceed as
normal.

<ol>
 <li><p>If the resource being
 <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> does not carry a
 <code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> header or it cannot be
 parsed per the above BNF terminate these steps.
 <!-- XXX can be improved when shit gets real -->
 <li>
  <p>If the resource is being
  <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> as the result of
  <a class="external" href="http://www.whatwg.org/html/#navigate" title="navigate">navigating</a> a
  non-<a class="external" href="http://www.whatwg.org/html/#child-browsing-context">child browsing context</a> terminate
  these steps.</p>
  <p class="note">We do not want to restrict non-embedding scenarios.</p>
 </li>
 <li><p>Let <var title="">source origin</var> be the
 <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> of
 the API that caused the resource to be
 <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> or
 the <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> of the
 <a class="external" href="http://www.whatwg.org/html/#source-browsing-context">source browsing context</a> if the
 <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> was the result of
 <a class="external" href="http://www.whatwg.org/html/#navigate" title="navigate">navigating</a>.
 <li><p>Let <var title="">target origin</var> be the <span>origin</span>
 of the resource being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>.
 <li>
  <p>If <var title="">source origin</var> and <var>target origin</var>
  are <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-5">same origin</a> terminate these
  steps.
  <p class="note">We do not want to restrict same-origin scenarios.</p>
 </li>
 <li><p>Let <var title="">allowed origins</var> be the values of the
 <code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> header(s) of the resource
 being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>.
 <li><p>If none of the values of <var title="">allowed origins</var> are
 equal to the <var title="">source origin</var>, instead of returning the
 resource being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>, return a network error
 instead.
 <li><p>Otherwise, proceed as normal.
</ol>


<h2 class="no-num" id="references">References</h2>
<h3 class="no-num" id="normative-references">Normative references</h3>
<div id="anolis-references-normative"><dl><dt id="refsHTML">[HTML]
<dd><cite><a href="http://www.whatwg.org/html">HTML</a></cite>, I. Hickson. WHATWG.

<dt id="refsHTTP">[HTTP]
<dd><cite><a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a></cite>, R. Fielding, J. Gettys, J. Mogul et al.. IETF.

<dt id="refsORIGIN">[ORIGIN]
<dd><cite><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">The Web Origin Concept</a></cite>, A. Barth. IETF.

<dt id="refsRFC2119">[RFC2119]
<dd><cite><a href="http://www.ietf.org/rfc/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a></cite>, S. Bradner. IETF.

</dl></div>


<!--<h3 class=no-num>Informative references</h3>
<div id=anolis-references-informative></div>-->


<h2 class="no-num" id="acknowledgements">Acknowledgements</h2>

<p>Thanks to

Adam Barth,
David Singer,
Glenn Maynard
John Daggett,
Jonathan Rees,
H&aring;kon Wium Lie,
Henri Sivonen and
Ms2ger

for their useful comments.