- From: Bil Corry <bil@corry.biz>
- Date: Thu, 02 Apr 2009 23:21:54 -0500
Related, HTML5 currently prohibits sending the XXX-Origin header for GET requests. This is to prevent intranet applications leaking their internal hostnames to external sites (are there other reasons?). However, there is value in a site being able to determine that a request originated from itself, so to that end, I'd like to request that HTML5 specify that the XXX-Origin header should be sent for any same-origin GET requests. This would still avoid leaking intranet hostnames while allowing a site to verify that a request came from itself. - Bil
Received on Thursday, 2 April 2009 21:21:54 UTC