On Wed, 17 Jun 2009, Mark S. Miller wrote: > On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <[email protected]> wrote: > > On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > > >> > > > > > >> If it does transmit any of these currently, are there any > > > > > >> objections to revising the spec so that it doesn't? > > > > > > > > Why? > > > > > > So that the containing page can use such a credential removing > > > service to allow sanitized content within the page to make requests > > > -- either to its own or to other origins -- while preventing this > > > content from "speaking for" the containing page or the user. > > > > The contained page already can't speak on behalf of the containing > > page -- that's what removing the Origin (and setting Origin to 'null') > > prevents. > > "or the user."
But... we want the page talking on behalf of the user. That's the point of a browser. I don't really understand what we're trying to prevent here. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
