Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 8:42 PM, Bil Corry<bil@corry.biz> wrote:
> As written, a conforming UA could choose to always send NULL for redirects, which would be unfortunate.

That's correct.

> More concerning though, a conforming UA could choose to always send NULL for *all* HTTP requests.

That's correct.

> Might it be better to more strictly define the behavior?

That's why the draft says:

   Whenever a user agent issues an HTTP request that (1) is *not* the
   result of an HTTP redirect and (2) is *not* initiated from a
   "privacy-sensitive" context, the user agent SHOULD set the value of
   the Sec-From header to the ASCII serialization of the origin that
   initiated the HTTP request.

Adam

Received on Thursday, 25 June 2009 03:49:40 UTC