W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: LC nits on draft-ietf-websec-origin-04, Re: Fwd: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 26 Aug 2011 10:08:21 +0200
Message-ID: <4E575475.30609@gmx.de>
To: Adam Barth <w3c@adambarth.com>
CC: Peter Saint-Andre <stpeter@stpeter.im>, public-web-security <public-web-security@w3.org>, Thomas Roessler <tlr@w3.org>, websec <websec@ietf.org>
On 2011-08-26 09:58, Adam Barth wrote:
> ...
> That could well be important if the Origin header is used in other
> protocols, such as CORS.  Would you recommend requiring the first or
> the last instance?
> ...

(cc'ing the IETF WG; I was replying to the wrong email thread)

I think the right thing to do would be to recommend one of:

- treat the message as invalid, or

- ignore the header field (whatever that means...).

Picking one of the two seems to be the wrong approach.

Best regards, Julian
Received on Friday, 26 August 2011 08:08:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 26 August 2011 08:08:50 GMT