<div dir="ltr">On Tue, Sep 30, 2008 at 9:06 AM, Adam Barth <span dir="ltr"><<a href="mailto:whatwg@adambarth.com">whatwg@adambarth.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The current proposal is to sent the Origin header for non-GET,<br>
non-HEAD requests. The main reason not to send the header all the<br>
time is that it raises similar privacy concerns as the Referer header,<br>
which have caused the Referer header to be suppressed a non-trivial<br>
fraction of the time.<br>
</blockquote><div> </div></div>This is why it would be helpful to also support a "don't load me across origins" header sent by the server.<br><br>Rob<br>-- <br>"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]<br>
</div>