On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <[email protected]> wrote: > If the hypothesis I am raising is indeed not a problem, then it doesn't > matter whether these same origin requests carry "Origin: null" or nothing. > What matters is that JavaScript code have a standard way to request their > browser to issue requests carrying no other credentials, even if back to the > same origin.
Yeah, I can see that as being useful. I encourage you to propose a new API that does this. The Origin-header-as-CSRF-defense already provides for this possibility. Is there something specific you'd like me to change in the I-D to support this new API? Adam
