W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Bil Corry <bil@corry.biz>
Date: Wed, 14 Jan 2009 13:36:12 -0600
Message-ID: <496E3EAC.2030008@corry.biz>
To: Jonas Sicking <jonas@sicking.cc>
CC: Adrian Bateman <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org> 

Jonas Sicking wrote on 1/14/2009 12:53 PM: 
> The problem I think is that the current name, 'Origin',  is extremely
> generic and so it's likely to cause confusion once we get other
> headers containing origins.
> 
> That said, I do understand that this is a very late change for you
> guys. Developers will code to what works, so as long as things work
> the same across browsers, with regards to this and the CSRF protection
> header, things should be mostly ok.
> 
> What do other people think?

I liked your suggestion that would marry the two:

	Jonas Sicking wrote on 1/12/2009 7:22 PM: 
	> That said, here is a solution that might work for both Access-Control
	> and CSRF protection:
	> 
	> Site A makes a request to site B,
	>   the UA adds the header "Origin: A"
	> Site B redirects the request to site C,
	>   the UA adds the header "Origin: A, B"



- Bil
Received on Wednesday, 14 January 2009 19:36:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC