Thanks for the heads up. I don't think that was an intentional change, and in the past, we decided to keep the origin header for CORS. I agree that we should say something about this in the spec On Tue, Feb 2, 2016 at 8:01 AM Brad Hill <hillbrad@gmail.com> wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=446344 > > On Mon, Feb 1, 2016, 10:46 PM Mike West <mkwst@google.com> wrote: > >> +Jochen & Emily >> >> On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote: >> >>> I note that most recent Chrome will change the value of the Origin >>> header on, e.g. a same-origin POST to "null" if there is a meta-referrer >>> policy of 'never' or 'no-referrer'. >>> >>> Should it do this? Seems possibly logical, but there is no mention of >>> this in the spec... >>> >> >> It seems reasonable to limit the leakage in this case, but it does mean >> that pages which specify such a referrer policy couldn't reasonably use >> CORS with credentials. I think that's probably a fine tradeoff, but I agree >> that it should be explicit in the spec. >> >> (Firefox, to my continuing sadness, doesn't send Origin on POST at all.) >>> >> >> Is there a bug on Bugzilla you could point folks to? I didn't see one in >> a quick skim for "Origin header"... >> >> -mike >> >
Received on Tuesday, 2 February 2016 08:30:08 UTC