W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2008

[whatwg] Proposal for cross domain security framework

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 23 Jun 2008 18:09:16 +0200
Message-ID: <op.uc7ltqch64w2qv@annevk-t60.oslo.opera.com>
On Mon, 23 Jun 2008 14:18:22 +0200, Frode B?rli <frode at seria.no> wrote:
> Hi! Thank you for pointing to that document. I quickly scanned trough
> it but I have a small problem with the specification: does it require
> web servers to check the Origin header? What happens with older web
> applications that do not check this header?

It's not strictly required, but highly recommended. Older Web applications  
wouldn't opt-in and would therefore be as vulnerable as they are today.  
Anyway, this is the wrong list to debate that specification. You want  
public-webapps at w3.org.

Anne van Kesteren
Received on Monday, 23 June 2008 09:09:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC