W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Wed, 24 Jun 2009 19:48:18 -0500
Message-ID: <4A42C952.3000203@corry.biz>
To: Adam Barth <w3c@adambarth.com>
CC: Ian Hickson <ian@hixie.ch>, whatwg@whatwg.org, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Adam Barth wrote on 6/20/2009 6:25 PM: 
> On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry<bil@corry.biz> wrote:
>> I've lost track, is this still something being considered?
> I should have an updated draft posted soon.

I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it says:

   Whenever a user agent issues an HTTP request from a "privacy-
   sensitive" context, the user agent MUST send the value "null" in the
   Sec-From header.

But it doesn't define "privacy-sensitive".  It does say:

   The Sec-From header also improves on the Referer header by NOT
   leaking intranet host names to external Web sites when a user follows
   a hyperlink from an intranet host to an external site because
   hyperlinks generate privacy-sensitive requests.

So presumably a GET request to the same origin isn't a "privacy-sensitive" request, but I'm just double-checking.  I think explicitly defining or referencing what constitutes a "privacy-sensitive" request would greatly improve the draft.

- Bil
Received on Thursday, 25 June 2009 00:49:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC