[whatwg] Do we need to rename the Origin header?
Bil Corry
bil at corry.biz
Sat Jun 20 12:57:50 PDT 2009
Ian Hickson wrote on 6/2/2009 8:11 PM:
> On Thu, 2 Apr 2009, Bil Corry wrote:
>> Related, HTML5 currently prohibits sending the XXX-Origin header for GET
>> requests. This is to prevent intranet applications leaking their
>> internal hostnames to external sites (are there other reasons?).
>>
>> However, there is value in a site being able to determine that a request
>> originated from itself, so to that end, I'd like to request that HTML5
>> specify that the XXX-Origin header should be sent for any same-origin
>> GET requests. This would still avoid leaking intranet hostnames while
>> allowing a site to verify that a request came from itself.
>
> That's an interesting idea; Adam, what do you think? I'm a bit wary of
> adding too many features at once here, and it's difficult to define
> exactly what consists a same-origin request sometimes, so this might not
> be that easy to do.
I've lost track, is this still something being considered?
- Bil
More information about the whatwg
mailing list