On Wed, Jan 14, 2009 at 11:45 AM, Anne van Kesteren <ann...@opera.com> wrote: > On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <b...@corry.biz> wrote: >> >> Jonas Sicking wrote on 1/14/2009 12:53 PM: >>> >>> The problem I think is that the current name, 'Origin', is extremely >>> generic and so it's likely to cause confusion once we get other >>> headers containing origins. >>> >>> That said, I do understand that this is a very late change for you >>> guys. Developers will code to what works, so as long as things work >>> the same across browsers, with regards to this and the CSRF protection >>> header, things should be mostly ok. >>> >>> What do other people think? >> >> I liked your suggestion that would marry the two: >> >> Jonas Sicking wrote on 1/12/2009 7:22 PM: >> > That said, here is a solution that might work for both >> Access-Control >> > and CSRF protection: >> > >> > Site A makes a request to site B, >> > the UA adds the header "Origin: A" >> > Site B redirects the request to site C, >> > the UA adds the header "Origin: A, B" > > This would mean significant changes to the draft which would not work well > for Microsoft. Renaming I would like to consider, changing the semantics > drastically seems out of order at this point.
Yup, I agree. / Jonas
