On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <[email protected]> wrote: > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > >> > > > > >> If it does transmit any of these currently, are there any > > > > >> objections to revising the spec so that it doesn't? > > > > > > Why? > > > > So that the containing page can use such a credential removing service > > to allow sanitized content within the page to make requests -- either to > > its own or to other origins -- while preventing this content from > > "speaking for" the containing page or the user. > > The contained page already can't speak on behalf of the containing page -- > that's what removing the Origin (and setting Origin to 'null') prevents. >
"or the user." So what about * HTTP auth info * cookies * client-side certs * REFERRER ? -- Cheers, --MarkM
