Re: Do we need to rename the Origin header?

Ian Hickson wrote on 5/24/2010 7:55 PM: 
> On Mon, 24 May 2010, Bil Corry wrote:
>> Adam Barth wrote on 7/16/2009 10:38 AM: 
>>> On Thu, Jul 16, 2009 at 8:47 AM, Bil Corry<bil@corry.biz> wrote:
>>>> I think you mean everything will NOT be privacy-sensitive except non-XHR GETs.
>>>
>>> I don't think we've quite settled on exactly what will be privacy
>>> sensitive.  It's most likely that POSTs and XHR will not be and that
>>> hyperlinks and image loads will be.  The goal is to harmonize with the
>>> Mozilla proposal.
>>
>> I haven't been following the progress of this, has "privacy-sensitive" been defined in HTML5 yet?
> 
> Yes.
> 
> 
>> The only reference I could find was in "2.6 Fetching Resources":
>>
>> ---8<---
>> For the purposes of the Origin  header, if the fetching algorithm was explicitly initiated from an origin, then the origin that initiated the HTTP request is origin. Otherwise, this is a request from a "privacy-sensitive" context. [ORIGIN]
>>
>> (from: http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetching-resources)
>> --->8---
> 
> That is the definition.

To clarify, the Origin header is sent for all requests now, except those that don't have an origin?  The Origin header is sent for GET, POST, XHR, and CORS?


- Bil

Received on Tuesday, 25 May 2010 06:30:56 UTC