W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 04 Apr 2009 12:17:44 +0200
To: "Bil Corry" <bil@corry.biz>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Ian Hickson" <ian@hixie.ch>, "Adam Barth" <w3c@adambarth.com>, public-webapps@w3.org, "Maciej Stachowiak" <mjs@apple.com>, "Sam Weinig" <weinig@apple.com>
Message-ID: <op.uruxjua164w2qv@annevk-t60.oslo.opera.com>
On Fri, 03 Apr 2009 22:05:52 +0200, Bil Corry <bil@corry.biz> wrote:
> So the first question to ponder is if the referrer header really can  
> adequately replace Origin.  If it can, then we should the move this  
> discussion over to ietf-http-wg and work to make sure referrer is  
> updated in a way to make it useful for CSRF protection.  If it can not,  
> then we should discuss Origin here as the ietf-http-wg has made it very  
> clear that they are not interested.

FWIW, for CORS it's too late to rename Origin now that we have three  
implementations, one of which is shipping (IE) and two that are in beta  
(Firefox, Safari). (Anyone know which version of Chrome supports CORS?)

CORS defines the Origin header as well:

   http://www.w3.org/TR/2009/WD-cors-20090317/#origin-request-header

It has also been registered in the provisional header registry from IANA  
for quite a while.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Saturday, 4 April 2009 10:19:02 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT