Re: The HTTP Origin Header (draft-abarth-origin)

On Mon, Jan 26, 2009 at 1:25 PM, Robert Sayre <> wrote:
> So, does the header send more information than necessary? Beats me.

I don't think "minimum necessary" is the right criterion for
evaluating the design.  Instead, we should consider the costs/benefit
trade-offs.  There are clearly benefits to sending the Origin header
to other hosts (supports web applications that span more than one host
name).  We disagree about the costs in terms of intranet-to-Intenet
leakage of host names from POST requests.

> Given the number of times unforeseen reuse has caused clients,
> proxies, and servers have to block access to headers in various ways,
> you'd think the most minimal approach would be best.

Some of these unforeseen reuses might turn out to be valuable.

I believe we've responded to the lion's share of privacy concerns by
not sending the Origin header for GET.  So far, we haven't heard a
single anecdote about a intranet site that would be sad that we sent
the Origin header for POST.  I'm attempting to gather hard data on
this point.


Received on Tuesday, 27 January 2009 00:25:48 UTC