On Thu, May 15, 2008 at 4:06 PM, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > * Like AC and JSONRequest, the request includes the originating domain that > is making the cross-site request. (MS is likely to have heartburn over this > one because XDR doesn't send the domain for privacy reasons, but maybe this > can be a browser security preference where some browsers can set a default > of don't-send-originating-domain) XDomainRequest also includes the origin that is making the cross-site request. Rather than naming this header "Origin", Microsoft named it "Referer", but hopefully they'll eventually rename it "Origin" to match XHR2+AC, JSONRequest, and postMessage. Note that it's not sufficient to send only the originating domain. To protect against network attackers, cross-site requests should send the full origin, including the scheme. Some examples of why the scheme is important are available at <http://crypto.stanford.edu/websec/origins/scheme/>. Collin JacksonReceived on Wednesday, 11 June 2008 07:23:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 11 June 2008 07:23:30 GMT