Canmove, confirm
1,537
edits
Changes
→When Sec-From is served (and when it is "null")
| YES || None ||
|}
=== Privacy-Sensitive Contexts ===
To elaborate on the table above, in the [http://webblaze.cs.berkeley.edu/2009/origin/origin.txt Sec-From Internet Draft], it is stated that "null" must be sent as the value of Sec-From instead of origin data when the request is initiated from a privacy-sensitive context. Following are a list of privacy sensitive contexts:
; Anchor Tag/hyperlink click : hyperlinks are common ways to jump from one site to another without trust. They should not be used to initiate state-changing procedures.
; Window navigation : changing the location of a window is a common way to mimic a hyperlink click.
; Image load (<img> tag) : third-party images are commonly embedded across origins and can be used as "web bugs"
; Stylesheet : third-party stylesheets should not initiate state changing requests.
; Dependent load in stylesheet : usually an image, protected for reasons like the image load mentioned above.
Remaining contexts are not privacy sensitive and origin information should be transmitted in the Sec-From header.
= Implementation =
