On Wed, 6 Mar 2013, Anne van Kesteren wrote:
It seems we have a bunch of different policies for setting the Origin
header :-(
XMLHttpRequest always sets it to the given value.
HTML's fetch only sets it to a non-null value if a from parameter is
passed.
I originally wanted it to always
On Thu, Mar 7, 2013 at 7:29 PM, Adam Barth w...@adambarth.com wrote:
I don't have strong feelings one way or another. Generally, I think
it's a good idea if the presence of the Origin header isn't synonymous
with the request being a CORS request because that could limit our
ability to use the
On Fri, Mar 8, 2013 at 2:23 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Mar 7, 2013 at 7:29 PM, Adam Barth w...@adambarth.com wrote:
I don't have strong feelings one way or another. Generally, I think
it's a good idea if the presence of the Origin header isn't synonymous
with the
On Fri, Mar 8, 2013 at 6:21 PM, Adam Barth w...@adambarth.com wrote:
I would recommend including an Origin header in every non-GET request
(and, of course, in some GET requests because of CORS).
That sounds fairly straightforward. Thanks!
--
http://annevankesteren.nl/
On Wed, Mar 6, 2013 at 3:21 PM, Anne van Kesteren ann...@annevk.nl wrote:
Unless PHP does not expose Origin under HTTP_ORIGIN in $_SERVER as one
would expect...
(It does btw.)
So I also tested the fetch from an origin in the specification
http://dump.testsuite.org/fetch/form.html and it turns
On Thu, Mar 7, 2013 at 9:07 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Wed, Mar 6, 2013 at 3:21 PM, Anne van Kesteren ann...@annevk.nl wrote:
Unless PHP does not expose Origin under HTTP_ORIGIN in $_SERVER as one
would expect...
(It does btw.)
So I also tested the fetch from an origin
It seems we have a bunch of different policies for setting the Origin header :-(
XMLHttpRequest always sets it to the given value.
HTML's fetch only sets it to a non-null value if a from parameter is passed.
HTML's potentially CORS-enabled fetch seems to never invoke fetch
with a from parameter
On Wed, Mar 6, 2013 at 2:46 PM, Anne van Kesteren ann...@annevk.nl wrote:
So HTML's potentially CORS-enabled fetch is incompatible with
XMLHttpRequest.
Turns out the wonderful browsers are not implementing XMLHttpRequest!
So XMLHttpRequest could do the same as HTML's potentially
CORS-enabled