Canmove, confirm
1,537
edits
Changes
→When Sec-From is served (and when it is "null")
{| border="1" cellpadding="2"
|-
! API !! Send Origins !! Workaround to Default Behavior Get Origin Value !! Notes
|-
! Anchor tag
|-
! IMG
| "null" || If we were to send the RequestType then we could send the origin || Images are easy to inject into a site.
|-
! iframe, embed, applet
|-
! stylesheets
| YES "null" || None N/A || ?CSS is generally session-dependent and requests for such should not be state modifying.
|-
! dependent loads from stylesheets
| "null" || ? N/A || ?These are <tt>url()</tt> calls within CSS and are mainly images.
|-
! Redirects
| YES* || None || *Before honoring redirect, append current origin to end of Sec-From value (unless the last origin in the header is equal to the current origin, then do not modify its value). Set Origin:entire header value to "null " if redirect crosses FQDN boundariesor if initial value is "null".
|-
! XHR
| YES* || None || *Comply with Access Control behavior
|}
= Implementation =
