W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Origin (was: Re: XHR LC Draft Feedback)

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 24 May 2008 22:40:15 +0200
To: "Adam Barth" <public-webapi@adambarth.com>
Cc: "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.uboeddjt64w2qv@annevk-t60.oslo.opera.com>

On Sat, 24 May 2008 20:48:00 +0200, Adam Barth  
<public-webapi@adambarth.com> wrote:
> People often suggest that we should attach the Origin header to GET
> requests as well as POST requests.  This increases the security
> benefits of the proposal, but it also increases the privacy cost
> because the header would then be sent for every hyperlink click.  Many
> organizations suppress the Referer header at their network boundary to
> prevent external sites from learning the structure of their internal
> network.  While the Origin header does not include the path (and thus
> reveals much less information), the names of internal hosts might
> still be sensitive.  We think restricting the header to POST requests
> will discourage these organizations from suppressing the header
> because it is much less common for an internal site to POST to an
> external site (compared with how common it is for an internal site to
> hyperlink to an external site).

Interesting. I note that for cross-site requests using Access Control  
(XMLHttpRequest, server-sent events, XSLT, XBL, and maybe more later...)  
we need this Origin header to always function. Also for GET requests.  
(Though these GET requests are distinct from the ones you get from <a> in  
that the response data is somehow exposed to the origin from which the  
request originated if the third party agrees.)

Having said that, if Access Control becomes successful disabling Origin  
would break major sites so maybe it's not much of an issue.

> Of course, XHR2 could use the Access-Control-Origin header and this
> proposal could use the Origin header, but the two are conceptually
> very similar and it might be worthwhile to use the same header name.

Ok, I'll use Origin.


Anne van Kesteren
Received on Saturday, 24 May 2008 20:40:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:27 UTC