W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: The Origin header (was Re: HTTPbis and the Same Origin Policy)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Dec 2009 14:06:04 -0800
Message-ID: <7789133a0912031406h45cc00dcvd291fcbd1d5eacde@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "Mark S. Miller" <erights@google.com>
On Thu, Dec 3, 2009 at 1:45 PM, Larry Masinter <masinter@adobe.com> wrote:
> I can understand "not sufficient". However, if the Origin header
> turns out to be "not necessary" (e.g., some other mechanism is
> more applicable) then would it be harmful to leave the HTML5
> spec requiring an Origin header?

Not necessary does not imply not useful.  For example, <canvas> isn't
necessary for drawing lines on the screen, but it's sure useful.

On Thu, Dec 3, 2009 at 1:58 PM, Mark S. Miller <erights@google.com> wrote:
> It would be harmful.

That's a matter of opinion.  :)

Adam
Received on Thursday, 3 December 2009 22:07:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT