Security/Origin: Difference between revisions

Jump to navigation Jump to search

Security/Origin (view source)

Revision as of 23:37, 20 July 2009

551 bytes added ,  20 July 2009
→‎Diversion from CORS Origin header
Line 24: Line 24:


=== Diversion from CORS Origin header ===
=== Diversion from CORS Origin header ===
TODO: explain why we diverged from CORSAlso, "What's in a name?"
 
We've chosen to create a new header (and not to blend in with the CORS Origin header) so that we have support for redirect chains and are not limited to protecting XHR requestsAs a result, a name different from "Origin" needed to be chosen.
 
'''What's in a name?''' <tt>Sec-From</tt> was chosen for two simple reasons.  First, according to X, <tt>Sec-</tt> cannot be set or changed from XML HTTP requests and are more difficult to spoof.  Second, since the header will describe what origins ''caused'' the request, and not in what context the result will be rendered, "From" seemed to be an appropriate descriptor.


=== Why not include a frame list? ===
=== Why not include a frame list? ===
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/156413"

Navigation menu