- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 25 May 2010 08:46:57 +0000 (UTC)
- To: Bil Corry <bil@corry.biz>
- Cc: Adam Barth <w3c@adambarth.com>, public-webapps@w3.org
On Mon, 24 May 2010, Bil Corry wrote: > >> > >> The only reference I could find was in "2.6 Fetching Resources": > >> > >> ---8<--- > >> For the purposes of the Origin header, if the fetching algorithm was explicitly initiated from an origin, then the origin that initiated the HTTP request is origin. Otherwise, this is a request from a "privacy-sensitive" context. [ORIGIN] > >> > >> (from: http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetching-resources) > >> --->8--- > > > > That is the definition. > > To clarify, the Origin header is sent for all requests now, except those > that don't have an origin? The Origin header is sent for GET, POST, > XHR, and CORS? It's sent for all invocations of the "fetch" algorithm in the HTML5 spec that explicitly specify that they come from a specific origin. Examples of invocations that include an explicit origin are the GET for a <script src>, the GET for <video src> and <source src>, and the POST done for the ping="" attribute. Examples of invocations that do not include an explicit origin include the GET for an application cache manifest, the GET for <img src="">, and the POST done by a user agent user interface element. For precise details please see the spec itself. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 May 2010 08:47:28 UTC