On Sat, 24 May 2008 10:32:03 +0200, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
On Tue, 13 May 2008 07:42:59 +0200, Adam Barth
<[EMAIL PROTECTED]> wrote:
One option is to rename the header "Sec-Origin", which is already
blocked in XHR Level 1.
True, but I think Access-Control-Origin is better as it more clearly
indicates what it is related to. And since we can safely do it given
that cross-site requests won't work for XMLHttpRequest until Access
Control is implemented I think it's acceptable.
It has been suggested that having an "Origin" header instead of
"Access-Control-Origin" would be useful in other contexts as well. That
browsers could always include this as it does not have the privacy issue
the "Referer" header has (does not include the path) and could therefore
be used for Access Control but also to prevent CSRF.
I'm not really sure whether that is a good idea, but you (Adam) and Collin
can hopefully weigh in on that. :-)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
