- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Mon, 19 Jan 2009 01:33:27 +0200
- To: HTML WG <public-html@w3.org>
On the last telecon, I got ACTION-96 to ensure that the editor removes the Origin header from the spec. I have since reviewed the feasibility of removing the header from the spec and discussed the issue with Hixie. I think it would be unproductive for all parties involved to remove things from the spec without another spec to put them into if we want to keep the feature in general. I see two ways to proceed: 1) Writing an Internet Draft that blesses the use of the Origin header for CSRF mitigation purposes in addition to its use as part of CORS leaving it to other specifications to say when the header is to be sent. In this case, the normative text referring to the header could *not* be removed from the HTML5 specification, since HTML5 would need to state when the header is sent in the context of HTML5 features. 2) Writing an Internet Draft that blesses the use of the Origin header for CSRF mitigation purposes in addition to its use as part of CORS and defines that browser-like user agents must send it on *all* non- GET/HEAD HTTP requests unless another spec specifically says not to send it in a particular case. In this case, HTML5 it wouldn't need to refer to the Internet Draft but the ID would need to have a normative reference to "source browsing context". In both cases, the ID would need to have a normative reference to the concept of "origin" as well as to "ASCII serialization of an origin". Adam Barth is expected to write the ID. Until the ID is written, it doesn't make sense for me to pursue the Action further at this time. Hence, the Action won't be complete on deadline unless the Chairs accept this report as concluding the ACTION-96. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Sunday, 18 January 2009 23:34:11 UTC