Re: Do we need to rename the Origin header?

On Mon, 24 May 2010, Bil Corry wrote:
> >>
> >> The only reference I could find was in "2.6 Fetching Resources":
> >>
> >> ---8<---
> >> For the purposes of the Origin  header, if the fetching algorithm was explicitly initiated from an origin, then the origin that initiated the HTTP request is origin. Otherwise, this is a request from a "privacy-sensitive" context. [ORIGIN]
> >>
> >> (from:
> >> --->8---
> > 
> > That is the definition.
> To clarify, the Origin header is sent for all requests now, except those 
> that don't have an origin?  The Origin header is sent for GET, POST, 
> XHR, and CORS?

It's sent for all invocations of the "fetch" algorithm in the HTML5 spec 
that explicitly specify that they come from a specific origin. Examples of 
invocations that include an explicit origin are the GET for a <script 
src>, the GET for <video src> and <source src>, and the POST done for the 
ping="" attribute. Examples of invocations that do not include an 
explicit origin include the GET for an application cache manifest, the GET 
for <img src="">, and the POST done by a user agent user interface 
element. For precise details please see the spec itself.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 25 May 2010 08:47:28 UTC