On 12 Jan 2009, at 17:59, Jonas Sicking wrote:
On Mon, Jan 12, 2009 at 5:35 PM, Ian Hickson <i...@hixie.ch> wrote:
On Mon, 12 Jan 2009, Jonas Sicking wrote:
Well, they have semantically different meanings:
The Access-Control one means "this is the party I'm sending data
to".
The CSRF one means "this is the party that initiated the request".
In particular, with CSRF, the requesting party is _not_ the party
to which
the server is sending data.
I agree that using the same header is problematic. For HTML5 I'm
happy to
use whatever header people want. In fact ideally I'd love there to
be an
RFC or some documentation somewhere defining the header that HTML5
uses,
so that I can reference that when requiring it be sent.
Should I remove or rename 'Origin' in HTML5 for now?
Well, HTML5 isn't the only place where this header has been discussed,
but it wouldn't be a bad idea I think.
+1
Having the CSRF-Origin defined in an RFC or another separate spec is a
good idea independently of whether or not it ends up being the same
header that's used for cross-site XHR.
