Thomas Roessler wrote on 1/12/2009 8:02 PM: > Having the CSRF-Origin defined in an RFC or another separate spec is a > good idea independently of whether or not it ends up being the same > header that's used for cross-site XHR.
If someone wants to form an "Origin" BOF at the next IETF meeting in March (with the idea of creating a RFC), I'll attend. I'm already planning to be there for the Cookie BOF. - Bil