On Thu, Jun 11, 2009 at 4:35 AM, Jonathan Rees<[email protected]> wrote: > I think this may be a foolish question, but is the value of Origin: > limited to sites? Couldn't it be an individual web page (URI)? Or a > wildcard? Is there some principled reason for such a limitation (if it > exists)?
If we changed the value of the Origin header to be an URI instead of an origin, then it would be very similar to the Referer header. Limiting the Origin header to an origin improves the privacy of the Referer header. Also, the additional information (path, query, etc) is not useful for making security decisions because the URIs can just script each other on the client anyway. Adam
