- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 12 Jan 2009 17:59:34 -0800
- To: "Ian Hickson" <ian@hixie.ch>
- Cc: "Thomas Roessler" <tlr@w3.org>, public-webapps@w3.org
On Mon, Jan 12, 2009 at 5:35 PM, Ian Hickson <ian@hixie.ch> wrote: > On Mon, 12 Jan 2009, Jonas Sicking wrote: >> >> Well, they have semantically different meanings: >> >> The Access-Control one means "this is the party I'm sending data to". >> The CSRF one means "this is the party that initiated the request". > > In particular, with CSRF, the requesting party is _not_ the party to which > the server is sending data. > > I agree that using the same header is problematic. For HTML5 I'm happy to > use whatever header people want. In fact ideally I'd love there to be an > RFC or some documentation somewhere defining the header that HTML5 uses, > so that I can reference that when requiring it be sent. > > Should I remove or rename 'Origin' in HTML5 for now? Well, HTML5 isn't the only place where this header has been discussed, but it wouldn't be a bad idea I think. / Jonas
Received on Tuesday, 13 January 2009 02:00:09 UTC