W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 13 Jan 2009 01:35:58 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Thomas Roessler <tlr@w3.org>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0901130133280.29785@hixie.dreamhostps.com>

On Mon, 12 Jan 2009, Jonas Sicking wrote:
> 
> Well, they have semantically different meanings:
> 
> The Access-Control one means "this is the party I'm sending data to".
> The CSRF one means "this is the party that initiated the request".

In particular, with CSRF, the requesting party is _not_ the party to which 
the server is sending data.

I agree that using the same header is problematic. For HTML5 I'm happy to 
use whatever header people want. In fact ideally I'd love there to be an 
RFC or some documentation somewhere defining the header that HTML5 uses, 
so that I can reference that when requiring it be sent.

Should I remove or rename 'Origin' in HTML5 for now?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 13 January 2009 01:36:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT