Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

Maciej Stachowiak wrote on 1/16/2009 4:40 PM: 
> Such hotlinking is probably using a GET request, so no Origin header
> would be sent. I believe it is also outside the scope of the CSRF
> protection and cross-origin data sharing goals of Origin. The Referer
> header is still usable for hotlinking prevention in this scenario, the
> only downside being that it is apparently often filtered by sites or
> users for privacy reasons.

Ha, well, mea culpa.  I was imaging it from the endpoint receiving an Origin header, then how it could be deceptive in the case of a redirect.  If anything, I guess my scenario would be an argument against sending Origin for non-Access-Control GET requests.  Thanks for keeping me straight.

As for the hotlinking, I wasn't implying that Origin should (or can) be used to combat it.  I saw it as an example of how the Origin header may have the side-effect of being used for other purposes simply by being present in the request.

- Bil

Received on Saturday, 17 January 2009 00:11:37 UTC