W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Mon, 06 Apr 2009 16:09:34 -0500
Message-ID: <49DA6F8E.2040009@corry.biz>
To: Adam Barth <w3c@adambarth.com>
CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>
Adam Barth wrote on 4/6/2009 3:04 PM: 
> 1) Enable CSRF mitigation for GET requests.
> To achieve (1), the Mozilla proposal sends the header (let's call it
> Blame-List for easy of discussion) for some GET requests, depending on
> how the requests were generated.  For example, a hyperlink or an image
> would not send Blame-List, but a form submission would.

Can we please include the Origin header for all same-origin requests, including GET and HEAD?  Or is there a compelling reason why not do to so?

Also, would there be value in having Origin sent for *all* requests, and if populating Origin is prohibited for that request (e.g. cross-origin GET), it sends "null" as the value?

- Bil
Received on Monday, 6 April 2009 21:10:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC