W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 19 Feb 2008 12:23:04 +0100
To: Anne van Kesteren <annevk@opera.com>
Cc: Mark Baker <distobj@acm.org>, mike amundsen <mamund@yahoo.com>, John Panzer <jpanzer@acm.org>, Jonas Sicking <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <20080219112304.GI3461@iCoaster.does-not-exist.org> 

On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote:

> No, these are completely different cases. What you're referring
> to is ok for same-origin requests and is what the same-origin
> requests still allow. Non same-origin requests probably require a
> different policy though.

That's not obvious to me.  So far, the basic model is that (a)
cross-origin requests are treated roughly the same as same-origin
requests, but (b) require specific authorization for precisely that
reason.  (See also the accountability thread.)

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 19 February 2008 11:23:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 11:23:18 GMT