- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 8 Jun 2009 10:24:03 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller<erights@google.com> wrote: > On Sun, Jun 7, 2009 at 3:28 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <erights@google.com> wrote: >> > If the hypothesis I am raising is indeed not a problem, then it doesn't >> > matter whether these same origin requests carry "Origin: null" or >> > nothing. >> > What matters is that JavaScript code have a standard way to request >> > their >> > browser to issue requests carrying no other credentials, even if back to >> > the >> > same origin. >> >> Yeah, I can see that as being useful. I encourage you to propose a >> new API that does this. The Origin-header-as-CSRF-defense already >> provides for this possibility. Is there something specific you'd like >> me to change in the I-D to support this new API? > > > Yes. I will take you up on this invitation. Thanks! For CORS <http://www.w3.org/TR/access-control/>, and other parts of web-apps, I think the above agreement is the important take-away from this discussion. For sites with advertising, or other third-party widgets, it would be nice to have a way for code to issue network requests without impersonating the hosting page's Origin. --Tyler
Received on Monday, 8 June 2009 17:24:36 UTC