On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<[email protected]> wrote: > For concreteness, for the Origin header for these requests, I'll start with > the simplest proposal that meets my goals: no Origin header for either same > origin requests or cross origin requests. But for both the same origin case > and the cross origin case, I am actually indifferent between no Origin > header and an "Origin: null" header. If there's a reason for the "Origin: > null" header, I'm happy with that.
Please send "Origin: null" in these cases. The problem with omitting the origin header is that the server can't tell if the request comes from a legacy client or if the header was removed in transit. Also, the Referer header should be on your hit-list as a credential. :) Adam
