- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Jan 2009 16:25:05 -0800
- To: Robert Sayre <sayrer@gmail.com>
- Cc: Thomas Broyer <t.broyer@gmail.com>, ietf-http-wg@w3.org
On Mon, Jan 26, 2009 at 1:25 PM, Robert Sayre <sayrer@gmail.com> wrote: > So, does the header send more information than necessary? Beats me. I don't think "minimum necessary" is the right criterion for evaluating the design. Instead, we should consider the costs/benefit trade-offs. There are clearly benefits to sending the Origin header to other hosts (supports web applications that span more than one host name). We disagree about the costs in terms of intranet-to-Intenet leakage of host names from POST requests. > Given the number of times unforeseen reuse has caused clients, > proxies, and servers have to block access to headers in various ways, > you'd think the most minimal approach would be best. Some of these unforeseen reuses might turn out to be valuable. I believe we've responded to the lion's share of privacy concerns by not sending the Origin header for GET. So far, we haven't heard a single anecdote about a intranet site that would be sad that we sent the Origin header for POST. I'm attempting to gather hard data on this point. Adam
Received on Tuesday, 27 January 2009 00:25:48 UTC