On 2008-05-24 10:57:03 +0200, Anne van Kesteren wrote: > It has been suggested that having an "Origin" header instead of > "Access-Control-Origin" would be useful in other contexts as > well. That browsers could always include this as it does not have > the privacy issue the "Referer" header has (does not include the > path) and could therefore be used for Access Control but also to > prevent CSRF.
Incidentally, +1 to "Origin" - for two reasons: (a) it might indeed turn out to be more generally useful (b) it's much less of a mouthful than Access-Control-Origin -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
