[whatwg] Proposal for cross domain security framework

On Mon, 23 Jun 2008 14:18:22 +0200, Frode B?rli <frode at seria.no> wrote:
> Hi! Thank you for pointing to that document. I quickly scanned trough
> it but I have a small problem with the specification: does it require
> web servers to check the Origin header? What happens with older web
> applications that do not check this header?

It's not strictly required, but highly recommended. Older Web applications  
wouldn't opt-in and would therefore be as vulnerable as they are today.  
Anyway, this is the wrong list to debate that specification. You want  
public-webapps at w3.org.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 23 June 2008 09:09:16 UTC