[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Mon Sep 29 05:20:48 PDT 2008

On Mon, 29 Sep 2008, Anne van Kesteren wrote:

> A cross-site XMLHttpRequest request would always include Origin. I 
> haven't really seen other specifications start using it yet, but I 
> believe there are some experimental implementations for including it in 
> cross-site <form> POST requests.

Yup, I mean the non-XMLHttpRequest "Origin" header as proposed / 
implemented by Adam Barth and Collin Jackson for generic POSTs (though I 
might be not doing the implementation justice, so it's probably best for 
them to chime in).


More information about the whatwg mailing list