W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 27 Jan 2009 14:34:27 +1300
Message-ID: <497E64A3.7030203@qbik.com>
To: Adam Barth <w3c@adambarth.com>
CC: Mark Nottingham <mnot@mnot.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net> 



Adam Barth wrote:
> On Mon, Jan 26, 2009 at 4:40 PM, Adrien de Croy <adrien@qbik.com> wrote:
>   
>>> In a sense, the same argument could be advanced about any browser
>>> feature (CSS, <canvas>, etc).  This shouldn't stop us from innovating.
>>>       
>> this is security we're talking about though, not additional nice-to-have
>> features.  Again, we still need to secure all users, and can't wait until
>> deployment of some new header.
>>     
>
> It is impossible to secure all the users who visit your Web site.  You
> cannot secure users with IE5 or Firefox 1.0, for example.  Moreover,
> the header provides incremental value while it is being deployed.
>
>   
Do you have any more information on this you could refer me to?  I find 
it hard to believe that there can be no security scheme which would be 
browser-independent.

Regards

Adrien

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 27 January 2009 01:32:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT