- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 14 Jan 2009 20:45:25 +0100
- To: "Bil Corry" <bil@corry.biz>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Adrian Bateman" <adrianba@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <bil@corry.biz> wrote: > Jonas Sicking wrote on 1/14/2009 12:53 PM: >> The problem I think is that the current name, 'Origin', is extremely >> generic and so it's likely to cause confusion once we get other >> headers containing origins. >> >> That said, I do understand that this is a very late change for you >> guys. Developers will code to what works, so as long as things work >> the same across browsers, with regards to this and the CSRF protection >> header, things should be mostly ok. >> >> What do other people think? > > I liked your suggestion that would marry the two: > > Jonas Sicking wrote on 1/12/2009 7:22 PM: > > That said, here is a solution that might work for both Access-Control > > and CSRF protection: > > > > Site A makes a request to site B, > > the UA adds the header "Origin: A" > > Site B redirects the request to site C, > > the UA adds the header "Origin: A, B" This would mean significant changes to the draft which would not work well for Microsoft. Renaming I would like to consider, changing the semantics drastically seems out of order at this point. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 14 January 2009 19:46:29 UTC