On Sun, 25 May 2008 23:36:48 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
If the header is simply named 'Origin' (or 'Referer-Root') then blocking any requests that include that header would also block for example cross-site image requests or cross-site POSTs.
Right. Given that it's likely we get extensions in the future that allow reading the contents of images (<img>.getImageData() or something) or the response of a <form> POST (some features in Web Forms 2.0 allow this as far as I can tell).
This can be both good and bad. The good part is that it gives sites a tool to easily block all third-party requests. The bad part is that it makes it harder to just block the most dangerous ones, i.e. ones where the requesting site can read the response.
The response is never revealed unless specified by the server.
I suggest we keep Access-Control-Origin as is. A separate 'Origin' spec seems useful, but I suspect it would be better done as a separate spec.
I'm not convinced it's worth separating the two. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
