- From: Adam Barth <whatwg@adambarth.com>
- Date: Sat, 29 Nov 2008 22:04:08 -0800
On Sat, Nov 29, 2008 at 8:13 PM, Ian Hickson <ian at hixie.ch> wrote: > On Wed, 9 Jul 2008, Jonas Sicking wrote: >> This way servers could be configured to reject all POST requests that >> have an Origin header from a different site. > > I'm all in favour of doing this, but isn't this something that belongs in > the HTTP spec rather than HTML5? I've taken the liberty of writing up a mini-spec for the proposal: http://crypto.stanford.edu/websec/specs/origin-header/ I'm not sure if the HTTP spec is the most appropriate place because the spec has a dependency on HTML 5 to compute the ASCII serialization of the origin. Adam
Received on Saturday, 29 November 2008 22:04:08 UTC