On Mon, 23 Jun 2008 14:18:22 +0200, Frode Børli <[EMAIL PROTECTED]> wrote:
Hi! Thank you for pointing to that document. I quickly scanned trough it but I have a small problem with the specification: does it require web servers to check the Origin header? What happens with older web applications that do not check this header?
It's not strictly required, but highly recommended. Older Web applications wouldn't opt-in and would therefore be as vulnerable as they are today. Anyway, this is the wrong list to debate that specification. You want [EMAIL PROTECTED]
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
