Sorry to reply twice, a comment on a different part: On 15/04/12 05:23, Rohan Jain wrote: > On 22:50 +0100 / 13 Apr, Luke Plant wrote: >> .. At the moment, it seems that few browsers send the >> 'Origin' header for normal HTML requests. (Recent versions of Chrome, >> Firefox and Opera do not, I don't know about IE). > > Page, http://caniuse.com/cors mentions the browsers and their versions > which support CORS. A big share of browser does support it and another > big one (constituting old IE and Opera) does not. We cannot expect > these browsers to go away anytime soon, so we have to keep maintaining > a compatibility system. > > Since http referrer is already being used in case of secure requests, > how about something similar in normal requests? Isn't the argument > about referrer being absent only in 0.2% case or less valid here? Is > 0.2% too significant for normal requests?
The page you linked to shows browsers that support CORS, which is quite different from browsers that send Origin with normal HTTP requests (i.e. non XMLHttpRequests requests) - in my own tests I can't find any browser that sends it for normal HTML requests. This means that it might be useful as an alternative way of addressing the problem with AJAX, but even there I think it is of dubious value: if we deploy a method that means that AJAX works automatically (without, for example, the jQuery fix we include in our docs) on the basis of the Origin header, everything will work fine in development, where most people don't test IE regularly, and will fail for Internet Explorer in production, which is not very nice. It is better to fail early. Regards, Luke -- "My capacity for happiness you could fit into a matchbox without taking out the matches first." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
