- From: Mark S. Miller <erights@google.com>
- Date: Thu, 3 Dec 2009 13:58:19 -0800
- To: Larry Masinter <masinter@adobe.com>
- Cc: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>
It would be harmful.
On Thu, Dec 3, 2009 at 1:45 PM, Larry Masinter <masinter@adobe.com> wrote:
> I can understand "not sufficient". However, if the Origin header
> turns out to be "not necessary" (e.g., some other mechanism is
> more applicable) then would it be harmful to leave the HTML5
> spec requiring an Origin header?
>
>
> Larry
> --
> http://larry.masinter.net
>
>
> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Thursday, December 03, 2009 1:40 PM
> To: Larry Masinter
> Cc: public-web-security@w3.org
> Subject: The Origin header (was Re: HTTPbis and the Same Origin Policy)
>
> Changing the subject line since this appears to be a new topic.
>
> On Thu, Dec 3, 2009 at 1:35 PM, Larry Masinter <masinter@adobe.com> wrote:
>> Is the "Origin" header generally agreed to be both necessary
>> and sufficient for same-origin-policy work to proceed?
>
> I'm not sure the Origin header is either necessary or sufficient. The
> same-origin policy is much larger and more extensive than a single
> header.
>
>> Right now, HTML 5 continues to refer to the Origin header as
>> supporting the same-origin policy, and it seemed to me that
>> there was still some disagreement about whether it should
>> be retained.
>>
>> The HTML issue is scheduled to be closed today (Dec 3) -- should it
>> remain open? Would anyone volunteer to write a "change proposal"
>> (re)moving "Origin header" from the HTML5 spec?
>>
>>
>> http://www.w3.org/html/wg/tracker/issues/63
>>
>> Larry
>> --
>> http://larry.masinter.net
>>
>>
>>
>
>
--
Cheers,
--MarkM
Received on Thursday, 3 December 2009 22:05:03 UTC