- From: Martin Thomson <notifications@github.com>
- Date: Thu, 11 Oct 2018 22:16:54 -0700
- To: httpslocal/proposals <proposals@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 October 2018 05:17:22 UTC
> Or, could we indicate such a hash in HTTP request headers? I wonder whether the hash should be included in the device's URL or not. The point here was to ensure that these devices were hard to target with APIs like `postMessage`, which use a serialized origin as an identifier. It's not sufficient to modify HTTP requests for that. I hadn't really considered the effect on CORS requests originating from the device. For that, I think that including the extended origin in the Origin header field would be enough as well. That reveals the name of the device to the server, allowing it to communicate with it (using `postMessage` for instance). That seems like a nice property to have, though I'd want to spend a little time on analysis there to make sure that there aren't unexpected problems. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/httpslocal/proposals/issues/1#issuecomment-429206910
Received on Friday, 12 October 2018 05:17:22 UTC