[whatwg] Do we need to rename the Origin header?
Bil Corry
bil at corry.biz
Wed Jun 24 17:48:18 PDT 2009
Adam Barth wrote on 6/20/2009 6:25 PM:
> On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry<bil at corry.biz> wrote:
>> I've lost track, is this still something being considered?
>
> I should have an updated draft posted soon.
I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it says:
-----
Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Sec-From header.
-----
But it doesn't define "privacy-sensitive". It does say:
-----
The Sec-From header also improves on the Referer header by NOT
leaking intranet host names to external Web sites when a user follows
a hyperlink from an intranet host to an external site because
hyperlinks generate privacy-sensitive requests.
-----
So presumably a GET request to the same origin isn't a "privacy-sensitive" request, but I'm just double-checking. I think explicitly defining or referencing what constitutes a "privacy-sensitive" request would greatly improve the draft.
- Bil
More information about the whatwg
mailing list