- From: Bil Corry <bil@corry.biz>
- Date: Sat, 20 Jun 2009 14:57:50 -0500
- To: Ian Hickson <ian@hixie.ch>
- CC: whatwg@whatwg.org, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Ian Hickson wrote on 6/2/2009 8:11 PM: > On Thu, 2 Apr 2009, Bil Corry wrote: >> Related, HTML5 currently prohibits sending the XXX-Origin header for GET >> requests. This is to prevent intranet applications leaking their >> internal hostnames to external sites (are there other reasons?). >> >> However, there is value in a site being able to determine that a request >> originated from itself, so to that end, I'd like to request that HTML5 >> specify that the XXX-Origin header should be sent for any same-origin >> GET requests. This would still avoid leaking intranet hostnames while >> allowing a site to verify that a request came from itself. > > That's an interesting idea; Adam, what do you think? I'm a bit wary of > adding too many features at once here, and it's difficult to define > exactly what consists a same-origin request sometimes, so this might not > be that easy to do. I've lost track, is this still something being considered? - Bil
Received on Saturday, 20 June 2009 19:58:26 UTC