On Wed, 10 Jun 2009 01:05:31 +0200, Adam Barth <[email protected]> wrote: > Either of these are fine with me. I'll update the > Origin-for-CSRF-defense draft to match whatever CORS would like to do > here.
I'd prefer a space-separated list. Each time you encounter a cross-origin redirect you append a space and the new origin to the Origin header and use it in the next request. (This can lead to a single origin being listed multiple times. I think that is ok.) This way Web services can be moved cross-origin without breaking any usage of them. (E.g. if a Web service from startup.example is moved to bigco.example.) Since nobody is handling redirects yet this should not be much of an issue. -- Anne van Kesteren http://annevankesteren.nl/
