17843 – Expected use of Origin HTTP header

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 17843 - Expected use of Origin HTTP header

Summary: Expected use of Origin HTTP header

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-07-18 07:01 UTC by contributor
Modified:	2012-10-09 18:51 UTC (History)
CC List:	8 users (show)

See Also:

Attachments

Description contributor 2012-07-18 07:01:15 UTC

This was was cloned from bug 16841 as part of operation convergence.
Originally filed: 2012-04-24 17:52:00 +0000
Original reporter: Patrick Ladd <Pat_Ladd2@cable.comcast.com>

================================================================================
 #0   Patrick Ladd                                    2012-04-24 17:52:20 +0000 
--------------------------------------------------------------------------------
Section 2.7.6 "CORS-enabled fetch" executes the CORS "resource sharing check" which fails if the server did not include an Access-Control-Allow-Origin header in the response to the request.  This implies that if the user agent did not send an Origin header the resource sharing check will fail and cause the potentially CORS-enabled fetch to taint or fail depending on the mode.  In order to clarify the expectation, one possible solution is a statement describing what happens when the Origin header is not sent by the user agent.  For example, add a sentence at the end of the first paragraph in section 2.7.6 that states, "If the user agent did not include an Origin header in the request, then the result of the potentially CORS-enabled fetch is success as defined for URL has the same origin as origin."
================================================================================
 #1   Anne                                            2012-04-24 20:23:48 +0000 
--------------------------------------------------------------------------------
The expectation would be that it is tainted.
================================================================================
 #2   Patrick Ladd                                    2012-04-24 20:35:55 +0000 
--------------------------------------------------------------------------------
Are you saying a clarification isn't needed or the recommended statement should indicate taint rather than success?
================================================================================
 #3   Anne                                            2012-04-24 20:39:41 +0000 
--------------------------------------------------------------------------------
Clarification might be nice, although user agents that do not implement CORS seem somewhat broken to me, but you can definitely never get more sharing without CORS than with. It should be either tainted or result in failure.
================================================================================
 #4   Mark Vickers                                    2012-04-26 19:22:03 +0000 
--------------------------------------------------------------------------------
So, why don't we require CORS?
================================================================================
 #5   Odin Hørthe Omdal                               2012-05-08 12:47:45 +0000 
--------------------------------------------------------------------------------
Hmm. What are you more specifically asking about? The user agent always sends a Origin-header if it's doing a CORS-enabled fetch.

http://dev.w3.org/html5/spec/urls.html#cors-enabled-fetch

So e.g. <img src=cross> will always show you the picture, but it'll be tainted because that's the default - AFAIK it won't send a origin-header because you it's mode is "No CORS".

<img src=cross crossorigin>, however, will take a different branch and do a real cross-fetch (either success or fail).

<img src=same crossorigin> will go into the first branch, but will restart the algorithm if it's redirected to cross.


So all real cross-domain uses should be sending an Origin-header, AFAICS.
================================================================================
 #6   Patrick Ladd                                    2012-05-10 23:40:33 +0000 
--------------------------------------------------------------------------------
The user agent may always send an Origin header when doing a CORS-enabled fetch, but I don't see where the CORS or HTML5 specifications mandate use of that header.  I thought there might be reluctance to add such a requirement so the initial proposal was to clarify what happens when the user agent does not send an Origin header.  I'm hopeful the editors will acknowledge that lack of clarity and either accept or make counter proposals to the suggestions.
================================================================================

Comment 1 Ian 'Hixie' Hickson 2012-09-26 23:02:19 UTC

I've updated HTML to say that if you implement HTTP you must implement Origin also. This then invokes all the rules in the Origin spec about "the origin that initiated the HTTP request", which causes the header to be included.

Comment 2 Ian 'Hixie' Hickson 2012-10-09 18:51:16 UTC

(see bug 17836)