- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 7 Jun 2009 15:28:48 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: public-webapps <public-webapps@w3.org>, Arthur Barstow <art.barstow@nokia.com>, Thomas Roessler <tlr@w3.org>, Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>, Google Caja Discuss <google-caja-discuss@googlegroups.com>, Douglas Crockford <douglas@crockford.com>, Tyler Close <tyler@waterken.com>, Collin Jackson <collinj@cs.stanford.edu>, Collin Jackson <collin.jackson@gmail.com>, David Wagner <daw@cs.berkeley.edu>, www-tag@w3.org
On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <erights@google.com> wrote: > If the hypothesis I am raising is indeed not a problem, then it doesn't > matter whether these same origin requests carry "Origin: null" or nothing. > What matters is that JavaScript code have a standard way to request their > browser to issue requests carrying no other credentials, even if back to the > same origin. Yeah, I can see that as being useful. I encourage you to propose a new API that does this. The Origin-header-as-CSRF-defense already provides for this possibility. Is there something specific you'd like me to change in the I-D to support this new API? Adam
Received on Sunday, 7 June 2009 22:29:42 UTC