W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Discussions with HTTP WG about Origin header [was: Do we need to rename the Origin header?]

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 8 Apr 2009 18:36:33 +0200
To: Robert Sayre <sayrer@gmail.com>
Message-Id: <7E4E40C1-5AA3-4338-9BDF-1686CF52AEEB@w3.org>
Cc: "Michael(tm) Smith" <mike@w3.org>, Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
On 8 Apr 2009, at 18:31, Robert Sayre wrote:

> On Wed, Apr 8, 2009 at 1:18 AM, Michael(tm) Smith <mike@w3.org> wrote:
>> Thomas Roessler <tlr@w3.org>, 2009-04-06 11:19 +0200:
>>
>>>  (The http-wg discussion looked ill-informed; among other things,  
>>> they didn't
>>>  understand the relationship with CORS.)
>
> Why would they? The Origin header seems to be the solution to many
> problems. It's not obvious that it should be reused for each one.


That's precisely the point -- there was a sense at a point in the past  
that CORS and the anti-CSRF Origin headers should be identical (since  
they're pretty similar for most cases, and having a single header  
would simplify things for web application authors).

--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 8 April 2009 16:36:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT