- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 3 Sep 2013 19:53:35 +0100
- To: Austin William Wright <aaa@bzfx.net>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Sep 3, 2013 at 7:36 PM, Austin William Wright <aaa@bzfx.net> wrote: > Some word on credentials (regardless of origin) would still be relevant for > Security Considerations. Particularly, how resources can require that > sending of credentials be disabled. For instance, perhaps you could forbid > requests containing both Origin and Cookie. (Is there any reason this > wouldn't work? I don't like the sound of it, as it depends on the user agent > sending the Origin header.) It won't work because implementations already do this, sites use it, and we're not going to break them. Aside: The web security model is defined by HTML: http://www.whatwg.org/C Extracting it from there requires lengthy detailed reading though. This document contains a high-level overview of some of the concepts and legacy artifacts: https://tools.ietf.org/html/rfc6454 -- http://annevankesteren.nl/
Received on Tuesday, 3 September 2013 18:54:02 UTC