- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 10 Jun 2009 09:59:24 +0200
- To: "Adam Barth" <w3c@adambarth.com>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Tyler Close" <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Wed, 10 Jun 2009 01:05:31 +0200, Adam Barth <w3c@adambarth.com> wrote: > Either of these are fine with me. I'll update the > Origin-for-CSRF-defense draft to match whatever CORS would like to do > here. I'd prefer a space-separated list. Each time you encounter a cross-origin redirect you append a space and the new origin to the Origin header and use it in the next request. (This can lead to a single origin being listed multiple times. I think that is ok.) This way Web services can be moved cross-origin without breaking any usage of them. (E.g. if a Web service from startup.example is moved to bigco.example.) Since nobody is handling redirects yet this should not be much of an issue. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 10 June 2009 08:00:06 UTC