2009/6/12 Mark S. Miller <[email protected]>: > On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth <[email protected]> wrote: >> On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<[email protected]> wrote: >> > For concreteness, for the Origin header for these requests, I'll start with >> > the simplest proposal that meets my goals: no Origin header for either same >> > origin requests or cross origin requests. But for both the same origin case >> > and the cross origin case, I am actually indifferent between no Origin >> > header and an "Origin: null" header. If there's a reason for the "Origin: >> > null" header, I'm happy with that. >> >> Please send "Origin: null" in these cases. The problem with omitting >> the origin header is that the server can't tell if the request comes >> from a legacy client or if the header was removed in transit. > > * Why does this argument not also apply to credential-free GuestXHR requests > back to the same origin?
It does. If you want to send a credential-free XHR, please use Origin: null. That is, in fact, what the null means. > What server side behavior difference do you expect between messages with no > Origin and messages with "Origin: null". You'll have to include Origin: null for POST requests. You should include it for GET as well. > This difference does not affect much anything I care about, so I'm still > happy to spec it as we agreed. Great. > I'd just like to understand the rationale. It makes more sense to me for all > GuestXHR requests be labeled the same way regardless of the origin of the > originating page. Either same way seems more coherent to me than the current > agreement. Yes. I agree. They should all have Origin: null. Adam
