W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2009

[whatwg] XXX-Origin header

From: Bil Corry <bil@corry.biz>
Date: Thu, 02 Apr 2009 23:21:54 -0500
Message-ID: <49D58EE2.2010608@corry.biz>
Related, HTML5 currently prohibits sending the XXX-Origin header for GET requests.  This is to prevent intranet applications leaking their internal hostnames to external sites (are there other reasons?).

However, there is value in a site being able to determine that a request originated from itself, so to that end, I'd like to request that HTML5 specify that the XXX-Origin header should be sent for any same-origin GET requests.  This would still avoid leaking intranet hostnames while allowing a site to verify that a request came from itself.


- Bil
Received on Thursday, 2 April 2009 21:21:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:11 UTC