- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 12 Jan 2009 17:03:29 -0800
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: public-webapps@w3.org
On 12 Jan 2009, at 16:31, Jonas Sicking wrote: > There are 3 possible solutions that I can see to this: > 1. Change the name of the Origin header in Access-Control > 2. Change the name of the Origin header used for CSRF protection > 3. Change the behavior of one (or both) of the specs such that they > match in behavior. > > My concern with doing 3 is that the CSRF protection part hasn't been > fully ironed out yet, so if we were to tie Access-Control the the CSRF > protection scheme then that might leave Access-Control in flux longer > than we want. My preference would be 3. Having two almost identical headers in place will only cause more confusion, and ultimately do damage.
Received on Tuesday, 13 January 2009 01:03:45 UTC