Anne van Kesteren wrote:
On Sat, 24 May 2008 10:32:03 +0200, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
On Tue, 13 May 2008 07:42:59 +0200, Adam Barth
<[EMAIL PROTECTED]> wrote:
One option is to rename the header "Sec-Origin", which is already
blocked in XHR Level 1.
True, but I think Access-Control-Origin is better as it more clearly
indicates what it is related to. And since we can safely do it given
that cross-site requests won't work for XMLHttpRequest until Access
Control is implemented I think it's acceptable.
It has been suggested that having an "Origin" header instead of
"Access-Control-Origin" would be useful in other contexts as well. That
browsers could always include this as it does not have the privacy issue
the "Referer" header has (does not include the path) and could therefore
be used for Access Control but also to prevent CSRF.
I'm not really sure whether that is a good idea, but you (Adam) and
Collin can hopefully weigh in on that. :-)
A similar idea came up when this header was named 'Referer-Root'.
However it was suggested to name the header 'Access-Control-Origin' to
allow servers to easily block all cross-site requests that were done
based on the Access-Control spec.
If the header is simply named 'Origin' (or 'Referer-Root') then blocking
any requests that include that header would also block for example
cross-site image requests or cross-site POSTs.
This can be both good and bad. The good part is that it gives sites a
tool to easily block all third-party requests. The bad part is that it
makes it harder to just block the most dangerous ones, i.e. ones where
the requesting site can read the response.
I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec
seems useful, but I suspect it would be better done as a separate spec.
/ Jonas
