On 2011-08-26 09:58, Adam Barth wrote:
... That could well be important if the Origin header is used in other protocols, such as CORS. Would you recommend requiring the first or the last instance? ...
(cc'ing the IETF WG; I was replying to the wrong email thread) I think the right thing to do would be to recommend one of: - treat the message as invalid, or - ignore the header field (whatever that means...). Picking one of the two seems to be the wrong approach. Best regards, Julian _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
