[whatwg] XXX-Origin header

Bil Corry bil at corry.biz
Thu Apr 2 21:21:54 PDT 2009

Related, HTML5 currently prohibits sending the XXX-Origin header for GET requests.  This is to prevent intranet applications leaking their internal hostnames to external sites (are there other reasons?).

However, there is value in a site being able to determine that a request originated from itself, so to that end, I'd like to request that HTML5 specify that the XXX-Origin header should be sent for any same-origin GET requests.  This would still avoid leaking intranet hostnames while allowing a site to verify that a request came from itself.

- Bil

More information about the whatwg mailing list