W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Fri, 03 Apr 2009 15:05:52 -0500
Message-ID: <49D66C20.20502@corry.biz>
To: Jonas Sicking <jonas@sicking.cc>
CC: Ian Hickson <ian@hixie.ch>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Jonas Sicking wrote on 4/3/2009 1:26 PM: 
> I definitely think we need to have a real discussion about when to
> send he header, and what values it should have.
> We've done a lot of discussions internally at mozilla, but was hoping
> that Adam Barth would start work somewhere so that we could send our
> feedback.

Adam published his draft[1] and the discussion on the ietf-http-wg list came to the conclusion that it was unneeded and the referrer header could be revised to achieve most of the goals of the Origin header[2].

So the first question to ponder is if the referrer header really can adequately replace Origin.  If it can, then we should the move this discussion over to ietf-http-wg and work to make sure referrer is updated in a way to make it useful for CSRF protection.  If it can not, then we should discuss Origin here as the ietf-http-wg has made it very clear that they are not interested.

- Bil

[1] http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt
[2] http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0219.html
Received on Friday, 3 April 2009 20:06:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC