- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 8 Mar 2013 10:23:28 +0000
- To: Adam Barth <w3c@adambarth.com>
- Cc: WHATWG <whatwg@whatwg.org>
On Thu, Mar 7, 2013 at 7:29 PM, Adam Barth <w3c@adambarth.com> wrote: > I don't have strong feelings one way or another. Generally, I think > it's a good idea if the presence of the Origin header isn't synonymous > with the request being a CORS request because that could limit our > ability to use the Origin header in the future. Okay. So currently the mix of the Origin specification and the HTML specification suggests you either do "Origin: /origin/" or "Origin: null". However WebKit seems to do "Origin: /origin/" or no header at all (for the "privacy-sensitive" cases). Ian also mentioned that we can not just put the Origin header into every outgoing request as that breaks the interwebs (per research you did for Chrome I believe?). What do you think we should end up requiring? -- http://annevankesteren.nl/
Received on Friday, 8 March 2013 10:23:55 UTC