W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 12 Jan 2009 17:03:29 -0800
To: "Jonas Sicking" <jonas@sicking.cc>
Message-Id: <F7776616-FF61-4352-987B-5350C4BCC84C@w3.org>
Cc: public-webapps@w3.org

On 12 Jan 2009, at 16:31, Jonas Sicking wrote:

> There are 3 possible solutions that I can see to this:
> 1. Change the name of the Origin header in Access-Control
> 2. Change the name of the Origin header used for CSRF protection
> 3. Change the behavior of one (or both) of the specs such that they
> match in behavior.
>
> My concern with doing 3 is that the CSRF protection part hasn't been
> fully ironed out yet, so if we were to tie Access-Control the the CSRF
> protection scheme then that might leave Access-Control in flux longer
> than we want.

My preference would be 3.  Having two almost identical headers in  
place will only cause more confusion, and ultimately do damage.
Received on Tuesday, 13 January 2009 01:03:45 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT