- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 24 May 2008 10:57:03 +0200
- To: "Adam Barth" <public-webapi@adambarth.com>, "Collin Jackson" <collinj@cs.stanford.edu>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On Sat, 24 May 2008 10:32:03 +0200, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 13 May 2008 07:42:59 +0200, Adam Barth > <public-webapi@adambarth.com> wrote: >> One option is to rename the header "Sec-Origin", which is already >> blocked in XHR Level 1. > > True, but I think Access-Control-Origin is better as it more clearly > indicates what it is related to. And since we can safely do it given > that cross-site requests won't work for XMLHttpRequest until Access > Control is implemented I think it's acceptable. It has been suggested that having an "Origin" header instead of "Access-Control-Origin" would be useful in other contexts as well. That browsers could always include this as it does not have the privacy issue the "Referer" header has (does not include the path) and could therefore be used for Access Control but also to prevent CSRF. I'm not really sure whether that is a good idea, but you (Adam) and Collin can hopefully weigh in on that. :-) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Saturday, 24 May 2008 08:57:21 UTC