- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 23 Jan 2009 10:26:37 +0000 (UTC)
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: ietf-http-wg@w3.org
On Fri, 23 Jan 2009, Daniel Stenberg wrote: > > Further, the argument: > > > the employee will not leak any information in the Origin header > > because it is not sent for GET requests. > > ... will thus break when that same intranet has a 'search the with > loogle' field that sends a POST to the external site? Search is usually done with GET, but even if it was, leaking a hostname isn't a big deal -- it's unlikely that confidential information will be in a hostname. (This is one reason why the Origin header doesn't include the path information.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 23 January 2009 10:27:13 UTC