- From: Bil Corry <bil@corry.biz>
- Date: Mon, 06 Apr 2009 16:09:34 -0500
- To: Adam Barth <w3c@adambarth.com>
- CC: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>
Adam Barth wrote on 4/6/2009 3:04 PM: > 1) Enable CSRF mitigation for GET requests. > > To achieve (1), the Mozilla proposal sends the header (let's call it > Blame-List for easy of discussion) for some GET requests, depending on > how the requests were generated. For example, a hyperlink or an image > would not send Blame-List, but a form submission would. Can we please include the Origin header for all same-origin requests, including GET and HEAD? Or is there a compelling reason why not do to so? Also, would there be value in having Origin sent for *all* requests, and if populating Origin is prohibited for that request (e.g. cross-origin GET), it sends "null" as the value? - Bil
Received on Monday, 6 April 2009 21:10:23 UTC