W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Origin

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 26 May 2008 00:27:04 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Adam Barth" <public-webapi@adambarth.com>, "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.ubqdzea164w2qv@annevk-t60.oslo.opera.com>

On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> If the header is simply named 'Origin' (or 'Referer-Root') then blocking  
> any requests that include that header would also block for example  
> cross-site image requests or cross-site POSTs.

Right. Given that it's likely we get extensions in the future that allow  
reading the contents of images (<img>.getImageData() or something) or the  
response of a <form> POST (some features in Web Forms 2.0 allow this as  
far as I can tell).


> This can be both good and bad. The good part is that it gives sites a  
> tool to easily block all third-party requests. The bad part is that it  
> makes it harder to just block the most dangerous ones, i.e. ones where  
> the requesting site can read the response.

The response is never revealed unless specified by the server.


> I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec  
> seems useful, but I suspect it would be better done as a separate spec.

I'm not convinced it's worth separating the two.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Sunday, 25 May 2008 22:27:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 25 May 2008 22:27:23 GMT