On Fri, 03 Apr 2009 22:05:52 +0200, Bil Corry <b...@corry.biz> wrote:
So the first question to ponder is if the referrer header really can
adequately replace Origin. If it can, then we should the move this
discussion over to ietf-http-wg and work to make sure referrer is
updated in a way to make it useful for CSRF protection. If it can not,
then we should discuss Origin here as the ietf-http-wg has made it very
clear that they are not interested.
FWIW, for CORS it's too late to rename Origin now that we have three
implementations, one of which is shipping (IE) and two that are in beta
(Firefox, Safari). (Anyone know which version of Chrome supports CORS?)
CORS defines the Origin header as well:
http://www.w3.org/TR/2009/WD-cors-20090317/#origin-request-header
It has also been registered in the provisional header registry from IANA
for quite a while.
--
Anne van Kesteren
http://annevankesteren.nl/