Re: Do we need to rename the Origin header?

Jonas Sicking wrote on 4/3/2009 1:26 PM: 
> I definitely think we need to have a real discussion about when to
> send he header, and what values it should have.
> 
> We've done a lot of discussions internally at mozilla, but was hoping
> that Adam Barth would start work somewhere so that we could send our
> feedback.

Adam published his draft[1] and the discussion on the ietf-http-wg list came to the conclusion that it was unneeded and the referrer header could be revised to achieve most of the goals of the Origin header[2].

So the first question to ponder is if the referrer header really can adequately replace Origin.  If it can, then we should the move this discussion over to ietf-http-wg and work to make sure referrer is updated in a way to make it useful for CSRF protection.  If it can not, then we should discuss Origin here as the ietf-http-wg has made it very clear that they are not interested.

- Bil

[1] http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt
[2] http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0219.html

Received on Friday, 3 April 2009 20:06:41 UTC