W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: Comments on the HTTP Sec-From Header (draft-abarth-origin)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 23 Jul 2009 06:04:44 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: Mark Nottingham <mnot@mnot.net>, Anne van Kesteren <annevk@opera.com>, "collinj@cs.stanford.edu" <collinj@cs.stanford.edu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.62.0907230603450.12284@hixie.dreamhostps.com>
On Wed, 22 Jul 2009, Adam Barth wrote:
> 
> I wonder if this syntax would work for CORS too?  We can take the 
> discussion to web-apps if you like, but the idea is if you get a 
> redirect (e.g., of a DELETE), then you can add a second Origin header to 
> the request instead of modifying the existing header.

I think that relying on sites to handle multiple headers correctly 
(especially when in the common case there will only be one) is asking for 
trouble. I know that they'd be breaking the spec if they didn't, but that 
isn't going to be any consolation when they get tricked.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 23 July 2009 06:05:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT