Re: HTTPbis and the Same Origin Policy

On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> wrote:
> Is the "Origin" header generally agreed to be both necessary
> and sufficient for same-origin-policy work to proceed?

It is neither necessary nor sufficient. Several of us have also argued
that introducing an Origin header is a step backwards for web
security.


> Right now, HTML 5 continues to refer to the Origin header as
> supporting the same-origin policy, and it seemed to me that
> there was still some disagreement about whether it should
> be retained.
>
> The HTML issue is scheduled to be closed today (Dec 3) -- should it
> remain open? Would anyone volunteer to write a "change proposal"
> (re)moving "Origin header" from the HTML5 spec?
>
> http://www.w3.org/html/wg/tracker/issues/63

Were someone to volunteer, what would they be volunteering for? What
would be involved?


>
> Larry
> --
> http://larry.masinter.net
>
>
>



-- 
    Cheers,
    --MarkM

Received on Thursday, 3 December 2009 21:58:02 UTC