- From: Bil Corry <bil@corry.biz>
- Date: Fri, 03 Apr 2009 15:05:52 -0500
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Ian Hickson <ian@hixie.ch>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Jonas Sicking wrote on 4/3/2009 1:26 PM: > I definitely think we need to have a real discussion about when to > send he header, and what values it should have. > > We've done a lot of discussions internally at mozilla, but was hoping > that Adam Barth would start work somewhere so that we could send our > feedback. Adam published his draft[1] and the discussion on the ietf-http-wg list came to the conclusion that it was unneeded and the referrer header could be revised to achieve most of the goals of the Origin header[2]. So the first question to ponder is if the referrer header really can adequately replace Origin. If it can, then we should the move this discussion over to ietf-http-wg and work to make sure referrer is updated in a way to make it useful for CSRF protection. If it can not, then we should discuss Origin here as the ietf-http-wg has made it very clear that they are not interested. - Bil [1] http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt [2] http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0219.html
Received on Friday, 3 April 2009 20:06:41 UTC