[whatwg] Do we need to rename the Origin header?

Bil Corry bil at corry.biz
Wed Jun 24 17:48:18 PDT 2009


Adam Barth wrote on 6/20/2009 6:25 PM: 
> On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry<bil at corry.biz> wrote:
>> I've lost track, is this still something being considered?
> 
> I should have an updated draft posted soon.

I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it says:

-----
   Whenever a user agent issues an HTTP request from a "privacy-
   sensitive" context, the user agent MUST send the value "null" in the
   Sec-From header.
-----

But it doesn't define "privacy-sensitive".  It does say:

-----
   The Sec-From header also improves on the Referer header by NOT
   leaking intranet host names to external Web sites when a user follows
   a hyperlink from an intranet host to an external site because
   hyperlinks generate privacy-sensitive requests.
-----

So presumably a GET request to the same origin isn't a "privacy-sensitive" request, but I'm just double-checking.  I think explicitly defining or referencing what constitutes a "privacy-sensitive" request would greatly improve the draft.


- Bil





More information about the whatwg mailing list