[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Robert O'Callahan robert at ocallahan.org
Mon Sep 29 14:39:37 PDT 2008

On Tue, Sep 30, 2008 at 9:06 AM, Adam Barth <whatwg at adambarth.com> wrote:

> The current proposal is to sent the Origin header for non-GET,
> non-HEAD requests.  The main reason not to send the header all the
> time is that it raises similar privacy concerns as the Referer header,
> which have caused the Referer header to be suppressed a non-trivial
> fraction of the time.

This is why it would be helpful to also support a "don't load me across
origins" header sent by the server.

"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080930/3a23d827/attachment-0001.htm>

More information about the whatwg mailing list