[whatwg] Fetch: Origin header
ian at hixie.ch
Tue Jul 23 13:30:26 PDT 2013
On Wed, 6 Mar 2013, Anne van Kesteren wrote:
> It seems we have a bunch of different policies for setting the Origin
> header :-(
> XMLHttpRequest always sets it to the given value.
> HTML's "fetch" only sets it to a non-null value if a from parameter is
I originally wanted it to always be passed, but there are cases where
that's not done for various reasons (mainly privacy or compatibility). The
Origin spec handles this via "privacy-sensitive contexts"; if you look at
the HTML spec source and search for "privacy-sensitive" you'll find
> HTML's "potentially CORS-enabled fetch" seems to never invoke "fetch"
> with a from parameter except indirectly via CORS' cross-origin request.
Right, the idea there is to basically defer to CORS.
On Thu, 7 Mar 2013, Anne van Kesteren wrote:
> So I also "tested" the "fetch from an origin" in the specification
> http://dump.testsuite.org/fetch/form.html and it turns out that only
> WebKit exhibits this behavior. Other browsers do not include Origin in a
> navigation that uses the POST method.
This is unsurprising, it's new requirements in old parts of the spec and
it's unlikely browsers will be updated until it's something we test in the
On Fri, 8 Mar 2013, Anne van Kesteren wrote:
> Okay. So currently the mix of the Origin specification and the HTML
> specification suggests you either do "Origin: /origin/" or "Origin:
> null". However WebKit seems to do "Origin: /origin/" or no header at all
> (for the "privacy-sensitive" cases). Ian also mentioned that we can not
> just put the Origin header into every outgoing request as that breaks
> the interwebs (per research you did for Chrome I believe?).
"Origin: null" is what the Origin spec requires, I think, so we should
update that spec if we don't do that.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg