Re: Comments on the HTTP Sec-From Header (draft-abarth-origin)

On Wed, 22 Jul 2009, Adam Barth wrote:
> I wonder if this syntax would work for CORS too?  We can take the 
> discussion to web-apps if you like, but the idea is if you get a 
> redirect (e.g., of a DELETE), then you can add a second Origin header to 
> the request instead of modifying the existing header.

I think that relying on sites to handle multiple headers correctly 
(especially when in the common case there will only be one) is asking for 
trouble. I know that they'd be breaking the spec if they didn't, but that 
isn't going to be any consolation when they get tricked.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 23 July 2009 06:05:25 UTC