- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 12 Jan 2009 18:02:22 -0800
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Ian Hickson" <ian@hixie.ch>, public-webapps@w3.org
On 12 Jan 2009, at 17:59, Jonas Sicking wrote: > On Mon, Jan 12, 2009 at 5:35 PM, Ian Hickson <ian@hixie.ch> wrote: >> On Mon, 12 Jan 2009, Jonas Sicking wrote: >>> >>> Well, they have semantically different meanings: >>> >>> The Access-Control one means "this is the party I'm sending data >>> to". >>> The CSRF one means "this is the party that initiated the request". >> >> In particular, with CSRF, the requesting party is _not_ the party >> to which >> the server is sending data. >> >> I agree that using the same header is problematic. For HTML5 I'm >> happy to >> use whatever header people want. In fact ideally I'd love there to >> be an >> RFC or some documentation somewhere defining the header that HTML5 >> uses, >> so that I can reference that when requiring it be sent. >> >> Should I remove or rename 'Origin' in HTML5 for now? > > Well, HTML5 isn't the only place where this header has been discussed, > but it wouldn't be a bad idea I think. +1 Having the CSRF-Origin defined in an RFC or another separate spec is a good idea independently of whether or not it ends up being the same header that's used for cross-site XHR.
Received on Tuesday, 13 January 2009 02:02:32 UTC