[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
lcamtuf at dione.cc
Mon Sep 29 05:20:48 PDT 2008
On Mon, 29 Sep 2008, Anne van Kesteren wrote:
> A cross-site XMLHttpRequest request would always include Origin. I
> haven't really seen other specifications start using it yet, but I
> believe there are some experimental implementations for including it in
> cross-site <form> POST requests.
Yup, I mean the non-XMLHttpRequest "Origin" header as proposed /
implemented by Adam Barth and Collin Jackson for generic POSTs (though I
might be not doing the implementation justice, so it's probably best for
them to chime in).
More information about the whatwg