Re: The HTTP Origin Header (draft-abarth-origin)

Adam Barth wrote on 1/24/2009 5:31 PM: 
> On Sat, Jan 24, 2009 at 3:27 PM, Bil Corry <> wrote:
>> Doesn't XHR2 send the Origin header for GET?  That's prohibited by Adam's Origin draft,
> That is not prohibited by the draft.  The draft has only positive
> requirements on sending the Origin header.

Ah, then it's just a matter of semantics.  If the CSRF Origin was written to have "only positive requirements" to send the Origin header when the Origin is itself, then it wouldn't preclude the XHR2 Origin from sending it on cross-site requests.  I believe that would then address Ian's concern, correct?

- Bil

Received on Sunday, 25 January 2009 02:53:04 UTC