W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Mark S. Miller <erights@google.com>
Date: Thu, 3 Dec 2009 13:58:19 -0800
Message-ID: <4d2fac900912031358m7c77ac2clc9a1ec7702cf51fd@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>
It would be harmful.

On Thu, Dec 3, 2009 at 1:45 PM, Larry Masinter <masinter@adobe.com> wrote:
> I can understand "not sufficient". However, if the Origin header
> turns out to be "not necessary" (e.g., some other mechanism is
> more applicable) then would it be harmful to leave the HTML5
> spec requiring an Origin header?
>
>
> Larry
> --
> http://larry.masinter.net
>
>
> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Thursday, December 03, 2009 1:40 PM
> To: Larry Masinter
> Cc: public-web-security@w3.org
> Subject: The Origin header (was Re: HTTPbis and the Same Origin Policy)
>
> Changing the subject line since this appears to be a new topic.
>
> On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> wrote:
>> Is the "Origin" header generally agreed to be both necessary
>> and sufficient for same-origin-policy work to proceed?
>
> I'm not sure the Origin header is either necessary or sufficient.  The
> same-origin policy is much larger and more extensive than a single
> header.
>
>> Right now, HTML 5 continues to refer to the Origin header as
>> supporting the same-origin policy, and it seemed to me that
>> there was still some disagreement about whether it should
>> be retained.
>>
>> The HTML issue is scheduled to be closed today (Dec 3) -- should it
>> remain open? Would anyone volunteer to write a "change proposal"
>> (re)moving "Origin header" from the HTML5 spec?
>>
>>
>> http://www.w3.org/html/wg/tracker/issues/63
>>
>> Larry
>> --
>> http://larry.masinter.net
>>
>>
>>
>
>



-- 
    Cheers,
    --MarkM
Received on Thursday, 3 December 2009 22:05:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT