Re: Do we need to rename the Origin header? from Jonas Sicking on 2009-04-03 (public-webapps@w3.org from April to June 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 3 Apr 2009 11:26:36 -0700
To: Bil Corry <bil@corry.biz>
Cc: Ian Hickson <ian@hixie.ch>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Message-ID: <63df84f0904031126x1da8465ag195c7738c37789cc@mail.gmail.com>

On Thu, Apr 2, 2009 at 9:58 PM, Bil Corry <bil@corry.biz> wrote:
> Ian Hickson wrote on 1/14/2009 4:07 PM:
>> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>>> On Tue, Jan 13, 2009 at 5:09 PM, Ian Hickson <ian@hixie.ch> wrote:
>>>> On Tue, 13 Jan 2009, Jonas Sicking wrote:
>>>>> It's not just POST that we need to worry about, ideally we should
>>>>> cover the GET case as well. Or at least it's quite likely that we
>>>>> will want to.
>>>> My understanding was that we didn't want to include Origin in GET
>>>> requests. In fact HTML5 right now goes out of its way to avoid
>>>> including it in GET requests.
>>> We've been debating this both ways at mozilla, no decision has been made
>>> yet regarding what we'll recommend.
>>
>> I've renamed it to XXX-Origin in HTML5. I haven't changed its behavior
>> (it is still only sent for non-GET).
>>
>> I'm trying to bring HTML5 to last call by October. Who "owns" this issue?
>> Do we have an ETA on resolving it?
>
> Since HTML5's XXX-Origin header now differs slightly from CORS Origin header, I propose we rename HTML5's header to something without "Origin" in it to make the distinction between the two more clear -- i.e. to avoid developer implementation errors where they check for the wrong header.  As far as a name for the header goes, perhaps "Source" or "Request-Source" or ????
>
> In addition, no matter which name is chosen for the header, it should be listed as a prohibited header for XHR.setRequestHeader() to avoid XHR requests spoofing it.
>
> And as far as implementation goes, I'd really like to see XXX-Origin sent for any same-origin GET requests (currently GET requests exclude the header).  This still avoids leaking intranet hostnames to external sites and allows sites to verify that a request is coming from themselves.
>
> Thoughts?

I definitely think we need to have a real discussion about when to
send he header, and what values it should have.

We've done a lot of discussions internally at mozilla, but was hoping
that Adam Barth would start work somewhere so that we could send our
feedback.

/ Jonas

Received on Friday, 3 April 2009 18:27:27 UTC