W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 12 Jan 2009 17:59:34 -0800
Message-ID: <63df84f0901121759h45f76c24l6da69e063e33d7d5@mail.gmail.com>
To: "Ian Hickson" <ian@hixie.ch>
Cc: "Thomas Roessler" <tlr@w3.org>, public-webapps@w3.org

On Mon, Jan 12, 2009 at 5:35 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Mon, 12 Jan 2009, Jonas Sicking wrote:
>>
>> Well, they have semantically different meanings:
>>
>> The Access-Control one means "this is the party I'm sending data to".
>> The CSRF one means "this is the party that initiated the request".
>
> In particular, with CSRF, the requesting party is _not_ the party to which
> the server is sending data.
>
> I agree that using the same header is problematic. For HTML5 I'm happy to
> use whatever header people want. In fact ideally I'd love there to be an
> RFC or some documentation somewhere defining the header that HTML5 uses,
> so that I can reference that when requiring it be sent.
>
> Should I remove or rename 'Origin' in HTML5 for now?

Well, HTML5 isn't the only place where this header has been discussed,
but it wouldn't be a bad idea I think.

/ Jonas
Received on Tuesday, 13 January 2009 02:00:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT