[whatwg] Proposal for cross domain security framework

Anne van Kesteren annevk at opera.com
Mon Jun 23 09:09:16 PDT 2008

On Mon, 23 Jun 2008 14:18:22 +0200, Frode Børli <frode at seria.no> wrote:
> Hi! Thank you for pointing to that document. I quickly scanned trough
> it but I have a small problem with the specification: does it require
> web servers to check the Origin header? What happens with older web
> applications that do not check this header?

It's not strictly required, but highly recommended. Older Web applications  
wouldn't opt-in and would therefore be as vulnerable as they are today.  
Anyway, this is the wrong list to debate that specification. You want  
public-webapps at w3.org.

Anne van Kesteren

More information about the whatwg mailing list