- From: Larry Masinter <masinter@adobe.com>
- Date: Thu, 3 Dec 2009 13:45:44 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
I can understand "not sufficient". However, if the Origin header turns out to be "not necessary" (e.g., some other mechanism is more applicable) then would it be harmful to leave the HTML5 spec requiring an Origin header? Larry -- http://larry.masinter.net -----Original Message----- From: Adam Barth [mailto:w3c@adambarth.com] Sent: Thursday, December 03, 2009 1:40 PM To: Larry Masinter Cc: public-web-security@w3.org Subject: The Origin header (was Re: HTTPbis and the Same Origin Policy) Changing the subject line since this appears to be a new topic. On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> wrote: > Is the "Origin" header generally agreed to be both necessary > and sufficient for same-origin-policy work to proceed? I'm not sure the Origin header is either necessary or sufficient. The same-origin policy is much larger and more extensive than a single header. > Right now, HTML 5 continues to refer to the Origin header as > supporting the same-origin policy, and it seemed to me that > there was still some disagreement about whether it should > be retained. > > The HTML issue is scheduled to be closed today (Dec 3) -- should it > remain open? Would anyone volunteer to write a "change proposal" > (re)moving "Origin header" from the HTML5 spec? > > > http://www.w3.org/html/wg/tracker/issues/63 > > Larry > -- > http://larry.masinter.net > > >
Received on Thursday, 3 December 2009 21:46:30 UTC