- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 11 Jun 2009 13:51:23 +0200
- To: "Jonathan Rees" <jar@creativecommons.org>, "Adam Barth" <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Thu, 11 Jun 2009 13:35:57 +0200, Jonathan Rees <jar@creativecommons.org> wrote: > I think this may be a foolish question, but is the value of Origin: > limited to sites? Couldn't it be an individual web page (URI)? Or a > wildcard? Is there some principled reason for such a limitation (if it > exists)? > > I took a look at the HTML5 draft (cited by CORS) and couldn't quite > figure this out. The reason is that this does not reveal confidential path information and can therefore more often be included in the request than the Referer header. (Since we've learned that changing Referer might have been a possible approach too, but alas, implementations are shipping.) The other reason is that most security decisions in Web browsers (and by extension, on the Web) are origin based. It is that restriction that this draft is trying to alleviate. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 11 June 2009 11:52:11 UTC