W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bil Corry <bil@corry.biz>
Date: Sat, 24 Jan 2009 20:52:24 -0600
Message-ID: <497BD3E8.3040202@corry.biz>
To: ietf-http-wg@w3.org

Adam Barth wrote on 1/24/2009 5:31 PM: 
> On Sat, Jan 24, 2009 at 3:27 PM, Bil Corry <bil@corry.biz> wrote:
>> Doesn't XHR2 send the Origin header for GET?  That's prohibited by Adam's Origin draft,
> 
> That is not prohibited by the draft.  The draft has only positive
> requirements on sending the Origin header.

Ah, then it's just a matter of semantics.  If the CSRF Origin was written to have "only positive requirements" to send the Origin header when the Origin is itself, then it wouldn't preclude the XHR2 Origin from sending it on cross-site requests.  I believe that would then address Ian's concern, correct?


- Bil
Received on Sunday, 25 January 2009 02:53:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT