W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Origin (was: Re: XHR LC Draft Feedback)

From: Thomas Roessler <tlr@w3.org>
Date: Sat, 24 May 2008 20:08:30 +0200
To: Anne van Kesteren <annevk@opera.com>
Cc: Adam Barth <public-webapi@adambarth.com>, Collin Jackson <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <20080524180830.GR292@iCoaster.does-not-exist.org>

On 2008-05-24 10:57:03 +0200, Anne van Kesteren wrote:

> It has been suggested that having an "Origin" header instead of 
> "Access-Control-Origin" would be useful in other contexts as
> well. That browsers could always include this as it does not have
> the privacy issue the "Referer" header has (does not include the
> path) and could therefore be used for Access Control but also to
> prevent CSRF.

Incidentally, +1 to "Origin" - for two reasons:

(a) it might indeed turn out to be more generally useful
(b) it's much less of a mouthful than Access-Control-Origin

Thomas Roessler, W3C  <tlr@w3.org>
Received on Saturday, 24 May 2008 18:09:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:27 UTC