W3C home > Mailing lists > Public > public-html@w3.org > June 2009

Re: Origin header in loading external scripts (ISSUE-63)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Jun 2009 14:37:04 +0200
To: "Ian Hickson" <ian@hixie.ch>, "Thomas Broyer" <t.broyer@gmail.com>, "Adam Barth" <w3c@adambarth.com>
Cc: public-html <public-html@w3.org>
Message-ID: <op.uva6n2qa64w2qv@annevk-t60>
On Tue, 02 Jun 2009 22:58:22 +0200, Ian Hickson <ian@hixie.ch> wrote:
> I dicussed this with Adam and we concluded that the problems involved in
> sending the Origin header for GET (namely, leaking intranet host names to
> the Internet) are a blocker.

This will happen for XMLHttpRequest GET, fwiw.

> However, I agree that we need to resolve the above problem also. In
> practice I believe that this is actually the same problem as we
> have with <video>, namely that there needs to be a way to do the opposite
> of what CORS does -- take a resource that would normally be visible to
> anyone, and make it only visible same-origin.

I was hoping that for cross-origin <video> data opt in we could just use CORS. E.g. the resource specifies Access-Control-Allow-Origin. I was hoping the same for <img> together with <canvas> to be honest.

> Thus I believe this is an issue for CORS v2, which I expect will be
> addressed in the same timeframe as <video> v3.


Anne van Kesteren
Received on Wednesday, 10 June 2009 12:37:53 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:46 UTC