W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: Do we need to rename the Origin header?

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 25 May 2010 08:46:57 +0000 (UTC)
To: Bil Corry <bil@corry.biz>
Cc: Adam Barth <w3c@adambarth.com>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.64.1005250827420.22838@ps20323.dreamhostps.com>
On Mon, 24 May 2010, Bil Corry wrote:
> >>
> >> The only reference I could find was in "2.6 Fetching Resources":
> >>
> >> ---8<---
> >> For the purposes of the Origin  header, if the fetching algorithm was explicitly initiated from an origin, then the origin that initiated the HTTP request is origin. Otherwise, this is a request from a "privacy-sensitive" context. [ORIGIN]
> >>
> >> (from: http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetching-resources)
> >> --->8---
> > 
> > That is the definition.
> 
> To clarify, the Origin header is sent for all requests now, except those 
> that don't have an origin?  The Origin header is sent for GET, POST, 
> XHR, and CORS?

It's sent for all invocations of the "fetch" algorithm in the HTML5 spec 
that explicitly specify that they come from a specific origin. Examples of 
invocations that include an explicit origin are the GET for a <script 
src>, the GET for <video src> and <source src>, and the POST done for the 
ping="" attribute. Examples of invocations that do not include an 
explicit origin include the GET for an application cache manifest, the GET 
for <img src="">, and the POST done by a user agent user interface 
element. For precise details please see the spec itself.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 May 2010 08:47:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT