W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: Origin header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 8 Mar 2013 10:23:28 +0000
Message-ID: <CADnb78j=uhsCivqp3YF4g9rgsD5VLG+OBuTvESsk9fRjhnD-5Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: WHATWG <whatwg@whatwg.org>
On Thu, Mar 7, 2013 at 7:29 PM, Adam Barth <w3c@adambarth.com> wrote:
> I don't have strong feelings one way or another.  Generally, I think
> it's a good idea if the presence of the Origin header isn't synonymous
> with the request being a CORS request because that could limit our
> ability to use the Origin header in the future.

Okay. So currently the mix of the Origin specification and the HTML
specification suggests you either do "Origin: /origin/" or "Origin:
null". However WebKit seems to do "Origin: /origin/" or no header at
all (for the "privacy-sensitive" cases). Ian also mentioned that we
can not just put the Origin header into every outgoing request as that
breaks the interwebs (per research you did for Chrome I believe?).

What do you think we should end up requiring?

Received on Friday, 8 March 2013 10:23:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC