[whatwg] Do we need to rename the Origin header?

Bil Corry bil at corry.biz
Sat Jun 20 12:57:50 PDT 2009


Ian Hickson wrote on 6/2/2009 8:11 PM: 
> On Thu, 2 Apr 2009, Bil Corry wrote:
>> Related, HTML5 currently prohibits sending the XXX-Origin header for GET 
>> requests.  This is to prevent intranet applications leaking their 
>> internal hostnames to external sites (are there other reasons?).
>>
>> However, there is value in a site being able to determine that a request 
>> originated from itself, so to that end, I'd like to request that HTML5 
>> specify that the XXX-Origin header should be sent for any same-origin 
>> GET requests.  This would still avoid leaking intranet hostnames while 
>> allowing a site to verify that a request came from itself.
> 
> That's an interesting idea; Adam, what do you think? I'm a bit wary of 
> adding too many features at once here, and it's difficult to define 
> exactly what consists a same-origin request sometimes, so this might not 
> be that easy to do.

I've lost track, is this still something being considered?


- Bil




More information about the whatwg mailing list