[whatwg] Proposal for cross domain security framework
Anne van Kesteren
annevk at opera.com
Mon Jun 23 09:09:16 PDT 2008
On Mon, 23 Jun 2008 14:18:22 +0200, Frode Børli <frode at seria.no> wrote:
> Hi! Thank you for pointing to that document. I quickly scanned trough
> it but I have a small problem with the specification: does it require
> web servers to check the Origin header? What happens with older web
> applications that do not check this header?
It's not strictly required, but highly recommended. Older Web applications
wouldn't opt-in and would therefore be as vulnerable as they are today.
Anyway, this is the wrong list to debate that specification. You want
public-webapps at w3.org.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
More information about the whatwg
mailing list