W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] Do we need to rename the Origin header?

From: Bil Corry <bil@corry.biz>
Date: Sat, 20 Jun 2009 14:57:50 -0500
Message-ID: <4A3D3F3E.7060500@corry.biz>
Ian Hickson wrote on 6/2/2009 8:11 PM: 
> On Thu, 2 Apr 2009, Bil Corry wrote:
>> Related, HTML5 currently prohibits sending the XXX-Origin header for GET 
>> requests.  This is to prevent intranet applications leaking their 
>> internal hostnames to external sites (are there other reasons?).
>>
>> However, there is value in a site being able to determine that a request 
>> originated from itself, so to that end, I'd like to request that HTML5 
>> specify that the XXX-Origin header should be sent for any same-origin 
>> GET requests.  This would still avoid leaking intranet hostnames while 
>> allowing a site to verify that a request came from itself.
> 
> That's an interesting idea; Adam, what do you think? I'm a bit wary of 
> adding too many features at once here, and it's difficult to define 
> exactly what consists a same-origin request sometimes, so this might not 
> be that easy to do.

I've lost track, is this still something being considered?


- Bil
Received on Saturday, 20 June 2009 12:57:50 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC