W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

RE: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Larry Masinter <masinter@adobe.com>
Date: Thu, 3 Dec 2009 13:45:44 -0800
To: Adam Barth <w3c@adambarth.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <8B62A039C620904E92F1233570534C9B0118DC9ECD1D@nambx04.corp.adobe.com>
I can understand "not sufficient". However, if the Origin header
turns out to be "not necessary" (e.g., some other mechanism is
more applicable) then would it be harmful to leave the HTML5
spec requiring an Origin header?


Larry
--
http://larry.masinter.net


-----Original Message-----
From: Adam Barth [mailto:w3c@adambarth.com] 
Sent: Thursday, December 03, 2009 1:40 PM
To: Larry Masinter
Cc: public-web-security@w3.org
Subject: The Origin header (was Re: HTTPbis and the Same Origin Policy)

Changing the subject line since this appears to be a new topic.

On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> wrote:
> Is the "Origin" header generally agreed to be both necessary
> and sufficient for same-origin-policy work to proceed?

I'm not sure the Origin header is either necessary or sufficient.  The
same-origin policy is much larger and more extensive than a single
header.

> Right now, HTML 5 continues to refer to the Origin header as
> supporting the same-origin policy, and it seemed to me that
> there was still some disagreement about whether it should
> be retained.
>
> The HTML issue is scheduled to be closed today (Dec 3) -- should it
> remain open? Would anyone volunteer to write a "change proposal"
> (re)moving "Origin header" from the HTML5 spec?
>
>
> http://www.w3.org/html/wg/tracker/issues/63
>
> Larry
> --
> http://larry.masinter.net
>
>
>
Received on Thursday, 3 December 2009 21:46:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT