Re: XHR without user credentials from Mark S. Miller on 2009-06-13 (public-webapps@w3.org from April to June 2009)

From: Mark S. Miller <erights@google.com>
Date: Fri, 12 Jun 2009 19:17:44 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900906121917w77a6fb89mf4ea4d0f6deb26a3@mail.gmail.com>

On Fri, Jun 12, 2009 at 7:03 PM, Adam Barth <w3c@adambarth.com> wrote:

> > What server side behavior difference do you expect between messages with
> no Origin and messages with "Origin: null".
>
> You'll have to include Origin: null for POST requests.  You should
> include it for GET as well.
>

Does "have to" == "MUST"?
On credential-free GET, why "should" rather than "MUST"?

Isn't your answer above only about client (user agent) behavior? I'd still
like understand what the recommended/expected difference in server behavior
should/might be depending of whether Origin is absent or null. Thanks.

-- 
   Cheers,
   --MarkM

Received on Saturday, 13 June 2009 02:18:21 UTC