W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Do we need to rename the Origin header?

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 12 Jan 2009 18:02:22 -0800
To: "Jonas Sicking" <jonas@sicking.cc>
Message-Id: <961B36CD-13B3-4B87-B84F-83CD38CCAE87@w3.org>
Cc: "Ian Hickson" <ian@hixie.ch>, public-webapps@w3.org

On 12 Jan 2009, at 17:59, Jonas Sicking wrote:

> On Mon, Jan 12, 2009 at 5:35 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Mon, 12 Jan 2009, Jonas Sicking wrote:
>>>
>>> Well, they have semantically different meanings:
>>>
>>> The Access-Control one means "this is the party I'm sending data  
>>> to".
>>> The CSRF one means "this is the party that initiated the request".
>>
>> In particular, with CSRF, the requesting party is _not_ the party  
>> to which
>> the server is sending data.
>>
>> I agree that using the same header is problematic. For HTML5 I'm  
>> happy to
>> use whatever header people want. In fact ideally I'd love there to  
>> be an
>> RFC or some documentation somewhere defining the header that HTML5  
>> uses,
>> so that I can reference that when requiring it be sent.
>>
>> Should I remove or rename 'Origin' in HTML5 for now?
>
> Well, HTML5 isn't the only place where this header has been discussed,
> but it wouldn't be a bad idea I think.

+1

Having the CSRF-Origin defined in an RFC or another separate spec is a  
good idea independently of whether or not it ends up being the same  
header that's used for cross-site XHR.
Received on Tuesday, 13 January 2009 02:02:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT