On Wed, 14 Jan 2009 20:36:12 +0100, Bil Corry <b...@corry.biz> wrote:
Jonas Sicking wrote on 1/14/2009 12:53 PM:
The problem I think is that the current name, 'Origin', is extremely
generic and so it's likely to cause confusion once we get other
headers containing origins.
That said, I do understand that this is a very late change for you
guys. Developers will code to what works, so as long as things work
the same across browsers, with regards to this and the CSRF protection
header, things should be mostly ok.
What do other people think?
I liked your suggestion that would marry the two:
Jonas Sicking wrote on 1/12/2009 7:22 PM:
> That said, here is a solution that might work for both Access-Control
> and CSRF protection:
>
> Site A makes a request to site B,
> the UA adds the header "Origin: A"
> Site B redirects the request to site C,
> the UA adds the header "Origin: A, B"
This would mean significant changes to the draft which would not work well
for Microsoft. Renaming I would like to consider, changing the semantics
drastically seems out of order at this point.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
