W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Thu, 02 Apr 2009 23:58:16 -0500
Message-ID: <49D59768.5020308@corry.biz>
To: Ian Hickson <ian@hixie.ch>
CC: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Ian Hickson wrote on 1/14/2009 4:07 PM: 
> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>> On Tue, Jan 13, 2009 at 5:09 PM, Ian Hickson <ian@hixie.ch> wrote:
>>> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>>>> It's not just POST that we need to worry about, ideally we should 
>>>> cover the GET case as well. Or at least it's quite likely that we 
>>>> will want to.
>>> My understanding was that we didn't want to include Origin in GET 
>>> requests. In fact HTML5 right now goes out of its way to avoid 
>>> including it in GET requests.
>> We've been debating this both ways at mozilla, no decision has been made 
>> yet regarding what we'll recommend.
> I've renamed it to XXX-Origin in HTML5. I haven't changed its behavior 
> (it is still only sent for non-GET).
> I'm trying to bring HTML5 to last call by October. Who "owns" this issue? 
> Do we have an ETA on resolving it?

Since HTML5's XXX-Origin header now differs slightly from CORS Origin header, I propose we rename HTML5's header to something without "Origin" in it to make the distinction between the two more clear -- i.e. to avoid developer implementation errors where they check for the wrong header.  As far as a name for the header goes, perhaps "Source" or "Request-Source" or ????

In addition, no matter which name is chosen for the header, it should be listed as a prohibited header for XHR.setRequestHeader() to avoid XHR requests spoofing it.

And as far as implementation goes, I'd really like to see XXX-Origin sent for any same-origin GET requests (currently GET requests exclude the header).  This still avoids leaking intranet hostnames to external sites and allows sites to verify that a request is coming from themselves.


- Bil
Received on Friday, 3 April 2009 04:59:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC