On Sat, 24 May 2008 20:48:00 +0200, Adam Barth <[EMAIL PROTECTED]> wrote:
People often suggest that we should attach the Origin header to GET requests as well as POST requests. This increases the security benefits of the proposal, but it also increases the privacy cost because the header would then be sent for every hyperlink click. Many organizations suppress the Referer header at their network boundary to prevent external sites from learning the structure of their internal network. While the Origin header does not include the path (and thus reveals much less information), the names of internal hosts might still be sensitive. We think restricting the header to POST requests will discourage these organizations from suppressing the header because it is much less common for an internal site to POST to an external site (compared with how common it is for an internal site to hyperlink to an external site).
Interesting. I note that for cross-site requests using Access Control (XMLHttpRequest, server-sent events, XSLT, XBL, and maybe more later...) we need this Origin header to always function. Also for GET requests. (Though these GET requests are distinct from the ones you get from <a> in that the response data is somehow exposed to the origin from which the request originated if the third party agrees.)
Having said that, if Access Control becomes successful disabling Origin would break major sites so maybe it's not much of an issue.
Of course, XHR2 could use the Access-Control-Origin header and this proposal could use the Origin header, but the two are conceptually very similar and it might be worthwhile to use the same header name.
Ok, I'll use Origin. Thanks! -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
