- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 26 May 2008 00:27:04 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Adam Barth" <public-webapi@adambarth.com>, "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>
On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > If the header is simply named 'Origin' (or 'Referer-Root') then blocking > any requests that include that header would also block for example > cross-site image requests or cross-site POSTs. Right. Given that it's likely we get extensions in the future that allow reading the contents of images (<img>.getImageData() or something) or the response of a <form> POST (some features in Web Forms 2.0 allow this as far as I can tell). > This can be both good and bad. The good part is that it gives sites a > tool to easily block all third-party requests. The bad part is that it > makes it harder to just block the most dangerous ones, i.e. ones where > the requesting site can read the response. The response is never revealed unless specified by the server. > I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec > seems useful, but I suspect it would be better done as a separate spec. I'm not convinced it's worth separating the two. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Sunday, 25 May 2008 22:27:21 UTC