Adam Barth wrote on 6/20/2009 6:25 PM:
On Sat, Jun 20, 2009 at 12:57 PM, Bil Corryb...@corry.biz wrote:
I've lost track, is this still something being considered?
I should have an updated draft posted soon.
I'm not clear with the new draft if it now allows Sec-From for same-origin GET
Ian Hickson wrote on 6/2/2009 8:11 PM:
On Thu, 2 Apr 2009, Bil Corry wrote:
Related, HTML5 currently prohibits sending the XXX-Origin header for GET
requests. This is to prevent intranet applications leaking their
internal hostnames to external sites (are there other reasons?).
However,
On Thu, 2 Apr 2009, Bil Corry wrote:
Since the public-webapps list was never able to reconcile[1] HTML5's
Origin header (now renamed XXX-Origin[2]) with CORS's Origin header[3],
we're left with two headers with similar implementations and similar
names. Due to this, it may prudent to