- From: Bil Corry <bil@corry.biz>
- Date: Wed, 24 Jun 2009 19:48:18 -0500
Adam Barth wrote on 6/20/2009 6:25 PM: > On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry<bil at corry.biz> wrote: >> I've lost track, is this still something being considered? > > I should have an updated draft posted soon. I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it says: ----- Whenever a user agent issues an HTTP request from a "privacy- sensitive" context, the user agent MUST send the value "null" in the Sec-From header. ----- But it doesn't define "privacy-sensitive". It does say: ----- The Sec-From header also improves on the Referer header by NOT leaking intranet host names to external Web sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate privacy-sensitive requests. ----- So presumably a GET request to the same origin isn't a "privacy-sensitive" request, but I'm just double-checking. I think explicitly defining or referencing what constitutes a "privacy-sensitive" request would greatly improve the draft. - Bil
Received on Wednesday, 24 June 2009 17:48:18 UTC