Jonas Sicking wrote on 1/14/2009 12:53 PM:
> The problem I think is that the current name, 'Origin', is extremely
> generic and so it's likely to cause confusion once we get other
> headers containing origins.
>
> That said, I do understand that this is a very late change for you
> guys. Developers will code to what works, so as long as things work
> the same across browsers, with regards to this and the CSRF protection
> header, things should be mostly ok.
>
> What do other people think?
I liked your suggestion that would marry the two:
Jonas Sicking wrote on 1/12/2009 7:22 PM:
> That said, here is a solution that might work for both Access-Control
> and CSRF protection:
>
> Site A makes a request to site B,
> the UA adds the header "Origin: A"
> Site B redirects the request to site C,
> the UA adds the header "Origin: A, B"
- Bil
