Re: Origin

On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> If the header is simply named 'Origin' (or 'Referer-Root') then blocking  
> any requests that include that header would also block for example  
> cross-site image requests or cross-site POSTs.

Right. Given that it's likely we get extensions in the future that allow  
reading the contents of images (<img>.getImageData() or something) or the  
response of a <form> POST (some features in Web Forms 2.0 allow this as  
far as I can tell).


> This can be both good and bad. The good part is that it gives sites a  
> tool to easily block all third-party requests. The bad part is that it  
> makes it harder to just block the most dangerous ones, i.e. ones where  
> the requesting site can read the response.

The response is never revealed unless specified by the server.


> I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec  
> seems useful, but I suspect it would be better done as a separate spec.

I'm not convinced it's worth separating the two.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Sunday, 25 May 2008 22:27:21 UTC