Re: Do we need to rename the Origin header?

Ian Hickson wrote on 1/14/2009 4:07 PM: 
> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>> On Tue, Jan 13, 2009 at 5:09 PM, Ian Hickson <ian@hixie.ch> wrote:
>>> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>>>> It's not just POST that we need to worry about, ideally we should 
>>>> cover the GET case as well. Or at least it's quite likely that we 
>>>> will want to.
>>> My understanding was that we didn't want to include Origin in GET 
>>> requests. In fact HTML5 right now goes out of its way to avoid 
>>> including it in GET requests.
>> We've been debating this both ways at mozilla, no decision has been made 
>> yet regarding what we'll recommend.
> 
> I've renamed it to XXX-Origin in HTML5. I haven't changed its behavior 
> (it is still only sent for non-GET).
> 
> I'm trying to bring HTML5 to last call by October. Who "owns" this issue? 
> Do we have an ETA on resolving it?

Since HTML5's XXX-Origin header now differs slightly from CORS Origin header, I propose we rename HTML5's header to something without "Origin" in it to make the distinction between the two more clear -- i.e. to avoid developer implementation errors where they check for the wrong header.  As far as a name for the header goes, perhaps "Source" or "Request-Source" or ????

In addition, no matter which name is chosen for the header, it should be listed as a prohibited header for XHR.setRequestHeader() to avoid XHR requests spoofing it.

And as far as implementation goes, I'd really like to see XXX-Origin sent for any same-origin GET requests (currently GET requests exclude the header).  This still avoids leaking intranet hostnames to external sites and allows sites to verify that a request is coming from themselves.

Thoughts?


- Bil

Received on Friday, 3 April 2009 04:59:01 UTC