- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 14 Jan 2009 12:28:30 -0800
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "Bil Corry" <bil@corry.biz>, "Adrian Bateman" <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Wed, Jan 14, 2009 at 11:45 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <bil@corry.biz> wrote: >> >> Jonas Sicking wrote on 1/14/2009 12:53 PM: >>> >>> The problem I think is that the current name, 'Origin', is extremely >>> generic and so it's likely to cause confusion once we get other >>> headers containing origins. >>> >>> That said, I do understand that this is a very late change for you >>> guys. Developers will code to what works, so as long as things work >>> the same across browsers, with regards to this and the CSRF protection >>> header, things should be mostly ok. >>> >>> What do other people think? >> >> I liked your suggestion that would marry the two: >> >> Jonas Sicking wrote on 1/12/2009 7:22 PM: >> > That said, here is a solution that might work for both >> Access-Control >> > and CSRF protection: >> > >> > Site A makes a request to site B, >> > the UA adds the header "Origin: A" >> > Site B redirects the request to site C, >> > the UA adds the header "Origin: A, B" > > This would mean significant changes to the draft which would not work well > for Microsoft. Renaming I would like to consider, changing the semantics > drastically seems out of order at this point. Yup, I agree. / Jonas
Received on Wednesday, 14 January 2009 20:29:10 UTC