W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Origin (was: Re: XHR LC Draft Feedback)

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 24 May 2008 10:57:03 +0200
To: "Adam Barth" <public-webapi@adambarth.com>, "Collin Jackson" <collinj@cs.stanford.edu>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.ubnhtdzg64w2qv@annevk-t60.oslo.opera.com>

On Sat, 24 May 2008 10:32:03 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> On Tue, 13 May 2008 07:42:59 +0200, Adam Barth  
> <public-webapi@adambarth.com> wrote:
>> One option is to rename the header "Sec-Origin", which is already
>> blocked in XHR Level 1.
>
> True, but I think Access-Control-Origin is better as it more clearly  
> indicates what it is related to. And since we can safely do it given  
> that cross-site requests won't work for XMLHttpRequest until Access  
> Control is implemented I think it's acceptable.

It has been suggested that having an "Origin" header instead of  
"Access-Control-Origin" would be useful in other contexts as well. That  
browsers could always include this as it does not have the privacy issue  
the "Referer" header has (does not include the path) and could therefore  
be used for Access Control but also to prevent CSRF.

I'm not really sure whether that is a good idea, but you (Adam) and Collin  
can hopefully weigh in on that. :-)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Saturday, 24 May 2008 08:57:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 24 May 2008 08:57:23 GMT