Re: Comments on the HTTP Sec-From Header (draft-abarth-origin)

If they're using CGI or pretty much any Web framework, it'll be done  
for them automatically. This is actually very well-implemented.


On 23/07/2009, at 4:04 PM, Ian Hickson wrote:

> On Wed, 22 Jul 2009, Adam Barth wrote:
>>
>> I wonder if this syntax would work for CORS too?  We can take the
>> discussion to web-apps if you like, but the idea is if you get a
>> redirect (e.g., of a DELETE), then you can add a second Origin  
>> header to
>> the request instead of modifying the existing header.
>
> I think that relying on sites to handle multiple headers correctly
> (especially when in the common case there will only be one) is  
> asking for
> trouble. I know that they'd be breaking the spec if they didn't, but  
> that
> isn't going to be any consolation when they get tricked.
>
> -- 
> Ian Hickson               U+1047E                ) 
> \._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _ 
> \  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'-- 
> (,_..'`-.;.'


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 23 July 2009 06:07:11 UTC