W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 14 Jan 2009 20:45:25 +0100
To: "Bil Corry" <bil@corry.biz>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Adrian Bateman" <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.unrihzvf64w2qv@annevk-t60.oslo.opera.com>

On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <bil@corry.biz> wrote:
> Jonas Sicking wrote on 1/14/2009 12:53 PM:
>> The problem I think is that the current name, 'Origin',  is extremely
>> generic and so it's likely to cause confusion once we get other
>> headers containing origins.
>>
>> That said, I do understand that this is a very late change for you
>> guys. Developers will code to what works, so as long as things work
>> the same across browsers, with regards to this and the CSRF protection
>> header, things should be mostly ok.
>>
>> What do other people think?
>
> I liked your suggestion that would marry the two:
>
> 	Jonas Sicking wrote on 1/12/2009 7:22 PM:
> 	> That said, here is a solution that might work for both Access-Control
> 	> and CSRF protection:
> 	>
> 	> Site A makes a request to site B,
> 	>   the UA adds the header "Origin: A"
> 	> Site B redirects the request to site C,
> 	>   the UA adds the header "Origin: A, B"

This would mean significant changes to the draft which would not work well  
for Microsoft. Renaming I would like to consider, changing the semantics  
drastically seems out of order at this point.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 14 January 2009 19:46:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT