W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Bil Corry <bil@corry.biz>
Date: Fri, 16 Jan 2009 18:10:55 -0600
Message-ID: <4971220F.8040802@corry.biz>
To: Maciej Stachowiak <mjs@apple.com>
CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>

Maciej Stachowiak wrote on 1/16/2009 4:40 PM: 
> Such hotlinking is probably using a GET request, so no Origin header
> would be sent. I believe it is also outside the scope of the CSRF
> protection and cross-origin data sharing goals of Origin. The Referer
> header is still usable for hotlinking prevention in this scenario, the
> only downside being that it is apparently often filtered by sites or
> users for privacy reasons.

Ha, well, mea culpa.  I was imaging it from the endpoint receiving an Origin header, then how it could be deceptive in the case of a redirect.  If anything, I guess my scenario would be an argument against sending Origin for non-Access-Control GET requests.  Thanks for keeping me straight.

As for the hotlinking, I wasn't implying that Origin should (or can) be used to combat it.  I saw it as an example of how the Origin header may have the side-effect of being used for other purposes simply by being present in the request.

- Bil
Received on Saturday, 17 January 2009 00:11:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:50 UTC