- From: Bil Corry <bil@corry.biz>
- Date: Wed, 14 Jan 2009 13:36:12 -0600
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Adrian Bateman <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Jonas Sicking wrote on 1/14/2009 12:53 PM: > The problem I think is that the current name, 'Origin', is extremely > generic and so it's likely to cause confusion once we get other > headers containing origins. > > That said, I do understand that this is a very late change for you > guys. Developers will code to what works, so as long as things work > the same across browsers, with regards to this and the CSRF protection > header, things should be mostly ok. > > What do other people think? I liked your suggestion that would marry the two: Jonas Sicking wrote on 1/12/2009 7:22 PM: > That said, here is a solution that might work for both Access-Control > and CSRF protection: > > Site A makes a request to site B, > the UA adds the header "Origin: A" > Site B redirects the request to site C, > the UA adds the header "Origin: A, B" - Bil
Received on Wednesday, 14 January 2009 19:36:52 UTC