Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

I think this may be a foolish question, but is the value of Origin:
limited to sites? Couldn't it be an individual web page (URI)? Or a
wildcard? Is there some principled reason for such a limitation (if it
exists)?

I took a look at the HTML5 draft (cited by CORS) and couldn't quite
figure this out.

Thanks
Jonathan

Received on Thursday, 11 June 2009 11:36:37 UTC