W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: Comments on the HTTP Sec-From Header (draft-abarth-origin)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 23 Jul 2009 16:06:30 +1000
Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, "collinj@cs.stanford.edu" <collinj@cs.stanford.edu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <BDF0300B-1F91-4598-8AD5-0DDFAFD70291@mnot.net>
To: Ian Hickson <ian@hixie.ch>
If they're using CGI or pretty much any Web framework, it'll be done  
for them automatically. This is actually very well-implemented.


On 23/07/2009, at 4:04 PM, Ian Hickson wrote:

> On Wed, 22 Jul 2009, Adam Barth wrote:
>>
>> I wonder if this syntax would work for CORS too?  We can take the
>> discussion to web-apps if you like, but the idea is if you get a
>> redirect (e.g., of a DELETE), then you can add a second Origin  
>> header to
>> the request instead of modifying the existing header.
>
> I think that relying on sites to handle multiple headers correctly
> (especially when in the common case there will only be one) is  
> asking for
> trouble. I know that they'd be breaking the spec if they didn't, but  
> that
> isn't going to be any consolation when they get tricked.
>
> -- 
> Ian Hickson               U+1047E                ) 
> \._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _ 
> \  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'-- 
> (,_..'`-.;.'


--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 23 July 2009 06:07:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT