W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 9 Jun 2009 09:19:04 -0700
Message-ID: <5691356f0906090919g1c35cf2fsdda06b218a4f0349@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth<w3c@adambarth.com> wrote:
> On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<erights@google.com> wrote:
>> For concreteness, for the Origin header for these requests, I'll start with
>> the simplest proposal that meets my goals: no Origin header for either same
>> origin requests or cross origin requests. But for both the same origin case
>> and the cross origin case, I am actually indifferent between no Origin
>> header and an "Origin: null" header. If there's a reason for the "Origin:
>> null" header, I'm happy with that.
>
> Please send "Origin: null" in these cases.  The problem with omitting
> the origin header is that the server can't tell if the request comes
> from a legacy client or if the header was removed in transit.

For the GuestXMLHttpRequest scenario, why should the server
distinguish between these two cases?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 9 June 2009 16:19:40 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT