- From: Collin Jackson <w3c@collinjackson.com>
- Date: Wed, 11 Jun 2008 00:22:54 -0700
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>
- Cc: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>, "Adam Barth" <abarth@cs.stanford.edu>
On Thu, May 15, 2008 at 4:06 PM, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > * Like AC and JSONRequest, the request includes the originating domain that > is making the cross-site request. (MS is likely to have heartburn over this > one because XDR doesn't send the domain for privacy reasons, but maybe this > can be a browser security preference where some browsers can set a default > of don't-send-originating-domain) XDomainRequest also includes the origin that is making the cross-site request. Rather than naming this header "Origin", Microsoft named it "Referer", but hopefully they'll eventually rename it "Origin" to match XHR2+AC, JSONRequest, and postMessage. Note that it's not sufficient to send only the originating domain. To protect against network attackers, cross-site requests should send the full origin, including the scheme. Some examples of why the scheme is important are available at <http://crypto.stanford.edu/websec/origins/scheme/>. Collin Jackson
Received on Wednesday, 11 June 2008 07:23:29 UTC