- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 13 Jan 2009 01:35:58 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Thomas Roessler <tlr@w3.org>, public-webapps@w3.org
On Mon, 12 Jan 2009, Jonas Sicking wrote: > > Well, they have semantically different meanings: > > The Access-Control one means "this is the party I'm sending data to". > The CSRF one means "this is the party that initiated the request". In particular, with CSRF, the requesting party is _not_ the party to which the server is sending data. I agree that using the same header is problematic. For HTML5 I'm happy to use whatever header people want. In fact ideally I'd love there to be an RFC or some documentation somewhere defining the header that HTML5 uses, so that I can reference that when requiring it be sent. Should I remove or rename 'Origin' in HTML5 for now? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 13 January 2009 01:36:34 UTC