- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 8 Apr 2009 18:36:33 +0200
- To: Robert Sayre <sayrer@gmail.com>
- Cc: "Michael(tm) Smith" <mike@w3.org>, Jonas Sicking <jonas@sicking.cc>, Bil Corry <bil@corry.biz>, Ian Hickson <ian@hixie.ch>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
On 8 Apr 2009, at 18:31, Robert Sayre wrote: > On Wed, Apr 8, 2009 at 1:18 AM, Michael(tm) Smith <mike@w3.org> wrote: >> Thomas Roessler <tlr@w3.org>, 2009-04-06 11:19 +0200: >> >>> (The http-wg discussion looked ill-informed; among other things, >>> they didn't >>> understand the relationship with CORS.) > > Why would they? The Origin header seems to be the solution to many > problems. It's not obvious that it should be reused for each one. That's precisely the point -- there was a sense at a point in the past that CORS and the anti-CSRF Origin headers should be identical (since they're pretty similar for most cases, and having a single header would simplify things for web application authors). -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 8 April 2009 16:36:44 UTC