On Thu, 11 Jun 2009 13:35:57 +0200, Jonathan Rees
<[email protected]> wrote:
I think this may be a foolish question, but is the value of Origin:
limited to sites? Couldn't it be an individual web page (URI)? Or a
wildcard? Is there some principled reason for such a limitation (if it
exists)?
I took a look at the HTML5 draft (cited by CORS) and couldn't quite
figure this out.
The reason is that this does not reveal confidential path information and
can therefore more often be included in the request than the Referer
header. (Since we've learned that changing Referer might have been a
possible approach too, but alas, implementations are shipping.)
The other reason is that most security decisions in Web browsers (and by
extension, on the Web) are origin based. It is that restriction that this
draft is trying to alleviate.
--
Anne van Kesteren
http://annevankesteren.nl/
