W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 14 Jan 2009 12:28:30 -0800
Message-ID: <63df84f0901141228n61ec0cfexbbd1a7422589563e@mail.gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Bil Corry" <bil@corry.biz>, "Adrian Bateman" <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>

On Wed, Jan 14, 2009 at 11:45 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <bil@corry.biz> wrote:
>>
>> Jonas Sicking wrote on 1/14/2009 12:53 PM:
>>>
>>> The problem I think is that the current name, 'Origin',  is extremely
>>> generic and so it's likely to cause confusion once we get other
>>> headers containing origins.
>>>
>>> That said, I do understand that this is a very late change for you
>>> guys. Developers will code to what works, so as long as things work
>>> the same across browsers, with regards to this and the CSRF protection
>>> header, things should be mostly ok.
>>>
>>> What do other people think?
>>
>> I liked your suggestion that would marry the two:
>>
>>        Jonas Sicking wrote on 1/12/2009 7:22 PM:
>>        > That said, here is a solution that might work for both
>> Access-Control
>>        > and CSRF protection:
>>        >
>>        > Site A makes a request to site B,
>>        >   the UA adds the header "Origin: A"
>>        > Site B redirects the request to site C,
>>        >   the UA adds the header "Origin: A, B"
>
> This would mean significant changes to the draft which would not work well
> for Microsoft. Renaming I would like to consider, changing the semantics
> drastically seems out of order at this point.

Yup, I agree.

/ Jonas
Received on Wednesday, 14 January 2009 20:29:10 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT