[-public-web-security, to avoid cross-posting too much] On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke <[email protected]> wrote: > On 2011-08-26 09:58, Adam Barth wrote: >> ... >> That could well be important if the Origin header is used in other >> protocols, such as CORS. Would you recommend requiring the first or >> the last instance? >> ... > > (cc'ing the IETF WG; I was replying to the wrong email thread) > > I think the right thing to do would be to recommend one of: > > - treat the message as invalid, or > > - ignore the header field (whatever that means...). > > Picking one of the two seems to be the wrong approach.
Ok. Maybe the best solution is to treat the header as if it contained the value "null", which basically means the server doesn't know which origin sent the message. That what we recommend user agents do when they get confused about what value to put in the header. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
