- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Jan 2009 16:11:08 -0800
- To: Thomas Broyer <t.broyer@gmail.com>
- Cc: ietf-http-wg@w3.org
On Mon, Jan 26, 2009 at 2:00 AM, Thomas Broyer <t.broyer@gmail.com> wrote: > What if the UA discard the Origin value (i.e. use "null" or some other > value) when crossing "zone" boundaries? That's an interesting idea. I'm not sure we have the notion of a "zone" available to us at this level of abstraction. Internet Explorer certainly has that concept, but I'm not sure other browsers do. > When an Intranet web page issues a request to an Internet resource, > then the UA SHOULD send "Origin: null" instead of "Origin: > http://<intranet-server>". We could recommend this in the non-normative privacy considerations section. It's certainly permitted by the current draft. > Could it work? (I suppose this could be done based on which range the > IP-address of the target resource belongs to, after DNS resolution; > but maybe DNS resolution doesn't always happen depending on the proxy > configuration –I don't know how this works) I don't think we want to go about specifying this in detail. We're unlikely to get it right considering that IE let's the user configure what sites are in which zones. Adam
Received on Tuesday, 27 January 2009 00:11:49 UTC