Re: LC nits on draft-ietf-websec-origin-04, Re: Fwd: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15

On 2011-08-26 09:58, Adam Barth wrote:
> ...
> That could well be important if the Origin header is used in other
> protocols, such as CORS.  Would you recommend requiring the first or
> the last instance?
> ...

(cc'ing the IETF WG; I was replying to the wrong email thread)

I think the right thing to do would be to recommend one of:

- treat the message as invalid, or

- ignore the header field (whatever that means...).

Picking one of the two seems to be the wrong approach.

Best regards, Julian

Received on Friday, 26 August 2011 08:08:49 UTC