Re: Do we need to rename the Origin header? from Ian Hickson on 2009-06-03 (public-webapps@w3.org from April to June 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 3 Jun 2009 01:11:30 +0000 (UTC)
To: Bil Corry <bil@corry.biz>
Cc: whatwg@whatwg.org, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Message-ID: <Pine.LNX.4.62.0906030015550.1648@hixie.dreamhostps.com>

On Thu, 2 Apr 2009, Bil Corry wrote:
>
> Since the public-webapps list was never able to reconcile[1] HTML5's 
> Origin header (now renamed XXX-Origin[2]) with CORS's Origin header[3], 
> we're left with two headers with similar implementations and similar 
> names.  Due to this, it may prudent to rename XXX-Origin to something 
> without "Origin" in the name to better distinguish between the two.  I 
> don't know what the header should be renamed to ("Source"?), but no 
> matter which name is chosen for the header, it should be listed as a 
> prohibited header for XHR.setRequestHeader()[4].
> 
> [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html
> [2] http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#navigate-fragid-step
> [3] http://www.w3.org/TR/cors/#origin-header
> [4] http://www.w3.org/TR/XMLHttpRequest2/#author-request-headers

Based on advice from Adam, I have updated HTML5 to have "Origin" again.


On Thu, 2 Apr 2009, Bil Corry wrote:
>
> Related, HTML5 currently prohibits sending the XXX-Origin header for GET 
> requests.  This is to prevent intranet applications leaking their 
> internal hostnames to external sites (are there other reasons?).
> 
> However, there is value in a site being able to determine that a request 
> originated from itself, so to that end, I'd like to request that HTML5 
> specify that the XXX-Origin header should be sent for any same-origin 
> GET requests.  This would still avoid leaking intranet hostnames while 
> allowing a site to verify that a request came from itself.

That's an interesting idea; Adam, what do you think? I'm a bit wary of 
adding too many features at once here, and it's difficult to define 
exactly what consists a same-origin request sometimes, so this might not 
be that easy to do.


On Thu, 2 Apr 2009, Bil Corry wrote:
> 
> Since HTML5's XXX-Origin header now differs slightly from CORS Origin 
> header, I propose we rename HTML5's header to something without "Origin" 
> in it to make the distinction between the two more clear -- i.e. to 
> avoid developer implementation errors where they check for the wrong 
> header.  As far as a name for the header goes, perhaps "Source" or 
> "Request-Source" or ????

Can we just resolve the differences?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 3 June 2009 01:12:03 UTC