On Tue, Sep 3, 2013 at 7:36 PM, Austin William Wright <aaa@bzfx.net> wrote: > Some word on credentials (regardless of origin) would still be relevant for > Security Considerations. Particularly, how resources can require that > sending of credentials be disabled. For instance, perhaps you could forbid > requests containing both Origin and Cookie. (Is there any reason this > wouldn't work? I don't like the sound of it, as it depends on the user agent > sending the Origin header.) It won't work because implementations already do this, sites use it, and we're not going to break them. Aside: The web security model is defined by HTML: http://www.whatwg.org/C Extracting it from there requires lengthy detailed reading though. This document contains a high-level overview of some of the concepts and legacy artifacts: https://tools.ietf.org/html/rfc6454 -- http://annevankesteren.nl/Received on Tuesday, 3 September 2013 18:54:02 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC