W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Sat, 20 Jun 2009 14:57:50 -0500
Message-ID: <4A3D3F3E.7060500@corry.biz>
To: Ian Hickson <ian@hixie.ch>
CC: whatwg@whatwg.org, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Ian Hickson wrote on 6/2/2009 8:11 PM: 
> On Thu, 2 Apr 2009, Bil Corry wrote:
>> Related, HTML5 currently prohibits sending the XXX-Origin header for GET 
>> requests.  This is to prevent intranet applications leaking their 
>> internal hostnames to external sites (are there other reasons?).
>>
>> However, there is value in a site being able to determine that a request 
>> originated from itself, so to that end, I'd like to request that HTML5 
>> specify that the XXX-Origin header should be sent for any same-origin 
>> GET requests.  This would still avoid leaking intranet hostnames while 
>> allowing a site to verify that a request came from itself.
> 
> That's an interesting idea; Adam, what do you think? I'm a bit wary of 
> adding too many features at once here, and it's difficult to define 
> exactly what consists a same-origin request sometimes, so this might not 
> be that easy to do.

I've lost track, is this still something being considered?


- Bil
Received on Saturday, 20 June 2009 19:58:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT