- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 3 Jun 2009 01:11:30 +0000 (UTC)
On Thu, 2 Apr 2009, Bil Corry wrote: > > Since the public-webapps list was never able to reconcile[1] HTML5's > Origin header (now renamed XXX-Origin[2]) with CORS's Origin header[3], > we're left with two headers with similar implementations and similar > names. Due to this, it may prudent to rename XXX-Origin to something > without "Origin" in the name to better distinguish between the two. I > don't know what the header should be renamed to ("Source"?), but no > matter which name is chosen for the header, it should be listed as a > prohibited header for XHR.setRequestHeader()[4]. > > [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html > [2] http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#navigate-fragid-step > [3] http://www.w3.org/TR/cors/#origin-header > [4] http://www.w3.org/TR/XMLHttpRequest2/#author-request-headers Based on advice from Adam, I have updated HTML5 to have "Origin" again. On Thu, 2 Apr 2009, Bil Corry wrote: > > Related, HTML5 currently prohibits sending the XXX-Origin header for GET > requests. This is to prevent intranet applications leaking their > internal hostnames to external sites (are there other reasons?). > > However, there is value in a site being able to determine that a request > originated from itself, so to that end, I'd like to request that HTML5 > specify that the XXX-Origin header should be sent for any same-origin > GET requests. This would still avoid leaking intranet hostnames while > allowing a site to verify that a request came from itself. That's an interesting idea; Adam, what do you think? I'm a bit wary of adding too many features at once here, and it's difficult to define exactly what consists a same-origin request sometimes, so this might not be that easy to do. On Thu, 2 Apr 2009, Bil Corry wrote: > > Since HTML5's XXX-Origin header now differs slightly from CORS Origin > header, I propose we rename HTML5's header to something without "Origin" > in it to make the distinction between the two more clear -- i.e. to > avoid developer implementation errors where they check for the wrong > header. As far as a name for the header goes, perhaps "Source" or > "Request-Source" or ???? Can we just resolve the differences? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 June 2009 18:11:30 UTC