[whatwg] XXX-Origin header

Related, HTML5 currently prohibits sending the XXX-Origin header for GET requests.  This is to prevent intranet applications leaking their internal hostnames to external sites (are there other reasons?).

However, there is value in a site being able to determine that a request originated from itself, so to that end, I'd like to request that HTML5 specify that the XXX-Origin header should be sent for any same-origin GET requests.  This would still avoid leaking intranet hostnames while allowing a site to verify that a request came from itself.


- Bil

Received on Thursday, 2 April 2009 21:21:54 UTC