- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 26 Aug 2011 10:08:21 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: Peter Saint-Andre <stpeter@stpeter.im>, public-web-security <public-web-security@w3.org>, Thomas Roessler <tlr@w3.org>, websec <websec@ietf.org>
On 2011-08-26 09:58, Adam Barth wrote: > ... > That could well be important if the Origin header is used in other > protocols, such as CORS. Would you recommend requiring the first or > the last instance? > ... (cc'ing the IETF WG; I was replying to the wrong email thread) I think the right thing to do would be to recommend one of: - treat the message as invalid, or - ignore the header field (whatever that means...). Picking one of the two seems to be the wrong approach. Best regards, Julian
Received on Friday, 26 August 2011 08:08:49 UTC