Add From-Origin?

[annevk]

Notes from @jakearchibald:

• A header on the response which prevents the browser using a response if it's initiated by another origin, with the exception of top-level GET navigations where the initiator has no access to a WindowProxy or a load event
• Can be easily added to all requests like x-frame-options, with exceptions where needed (including whitelisting a particular origin)
• Without those exceptions it would break basic <img> and <script> linking, although some hosts may be happy with the ability to do that
• Protects unauthenticated-but-private hosts like local servers and intranets
• Also prevents clickjacking and window.open, so load times that may be influenced by origin storage aren't exposed
• Doesn't really protect against CSRF, as the credentialed request is still sent to the target
• Abandoned, but its intent could be revived. Feels like a good fit for CSP given CSP has frame-ancestors
• Would need to terminate the connection upon failure, to prevent exposing size through TCP windows

This could be part of CSP, but CSP thus far doesn't have response-specific rules. So it's more like a logical counterpart to CORS. @mikewest?

(See #355 and w3c/resource-timing#64 for some earlier discussion on this. See https://www.w3.org/TR/2012/NOTE-from-origin-20120529/ for an earlier iteration of this idea, with somewhat different semantics.)

[jakearchibald]

What would my Vary header be when responding with From-Origin? Given the Origin header isn't always sent, I could run into difficulties.

[mnot]

What would the possible values be, and does it allow only one, or any number?

[annevk]

There's still not much interest in this so I'm closing this. Most popular CSRF defense is still same-site cookies, though it's unclear how fast everyone is implementing that.