- From: Bil Corry <bil@corry.biz>
- Date: Wed, 24 Jun 2009 19:48:18 -0500
- To: Adam Barth <w3c@adambarth.com>
- CC: Ian Hickson <ian@hixie.ch>, whatwg@whatwg.org, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>
Adam Barth wrote on 6/20/2009 6:25 PM: > On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry<bil@corry.biz> wrote: >> I've lost track, is this still something being considered? > > I should have an updated draft posted soon. I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it says: ----- Whenever a user agent issues an HTTP request from a "privacy- sensitive" context, the user agent MUST send the value "null" in the Sec-From header. ----- But it doesn't define "privacy-sensitive". It does say: ----- The Sec-From header also improves on the Referer header by NOT leaking intranet host names to external Web sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate privacy-sensitive requests. ----- So presumably a GET request to the same origin isn't a "privacy-sensitive" request, but I'm just double-checking. I think explicitly defining or referencing what constitutes a "privacy-sensitive" request would greatly improve the draft. - Bil
Received on Thursday, 25 June 2009 00:49:42 UTC