On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth<[email protected]> wrote: > On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<[email protected]> wrote: >> For concreteness, for the Origin header for these requests, I'll start with >> the simplest proposal that meets my goals: no Origin header for either same >> origin requests or cross origin requests. But for both the same origin case >> and the cross origin case, I am actually indifferent between no Origin >> header and an "Origin: null" header. If there's a reason for the "Origin: >> null" header, I'm happy with that. > > Please send "Origin: null" in these cases. The problem with omitting > the origin header is that the server can't tell if the request comes > from a legacy client or if the header was removed in transit.
For the GuestXMLHttpRequest scenario, why should the server distinguish between these two cases? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
