Re: [whatwg] Fetch: Origin header from Ian Hickson on 2013-07-23 (public-whatwg-archive@w3.org from July 2013)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 23 Jul 2013 20:30:26 +0000 (UTC)
To: Anne van Kesteren <annevk@annevk.nl>, Adam Barth <w3c@adambarth.com>
Cc: WHATWG <whatwg@whatwg.org>
Message-ID: <alpine.DEB.2.00.1307232020520.9685@ps20323.dreamhostps.com>

On Wed, 6 Mar 2013, Anne van Kesteren wrote:
>
> It seems we have a bunch of different policies for setting the Origin 
> header :-(
> 
> XMLHttpRequest always sets it to the given value.
> 
> HTML's "fetch" only sets it to a non-null value if a from parameter is 
> passed.

I originally wanted it to always be passed, but there are cases where 
that's not done for various reasons (mainly privacy or compatibility). The 
Origin spec handles this via "privacy-sensitive contexts"; if you look at 
the HTML spec source and search for "privacy-sensitive" you'll find 
relevant notes.

> HTML's "potentially CORS-enabled fetch" seems to never invoke "fetch" 
> with a from parameter except indirectly via CORS' cross-origin request.

Right, the idea there is to basically defer to CORS.

On Thu, 7 Mar 2013, Anne van Kesteren wrote:
> 
> So I also "tested" the "fetch from an origin" in the specification 
> http://dump.testsuite.org/fetch/form.html and it turns out that only 
> WebKit exhibits this behavior. Other browsers do not include Origin in a 
> navigation that uses the POST method.

This is unsurprising, it's new requirements in old parts of the spec and 
it's unlikely browsers will be updated until it's something we test in the 
test suite.

On Fri, 8 Mar 2013, Anne van Kesteren wrote:
> 
> Okay. So currently the mix of the Origin specification and the HTML 
> specification suggests you either do "Origin: /origin/" or "Origin: 
> null". However WebKit seems to do "Origin: /origin/" or no header at all 
> (for the "privacy-sensitive" cases). Ian also mentioned that we can not 
> just put the Origin header into every outgoing request as that breaks 
> the interwebs (per research you did for Chrome I believe?).

"Origin: null" is what the Origin spec requires, I think, so we should 
update that spec if we don't do that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 23 July 2013 20:30:52 UTC