Canmove, confirm
1,537
edits
Changes
m
→Sec-From header format
In order to provide enough information that makes this Sec-From header useful for more server-side protections (other than just CSRF), the origin of a request may be sent (or the string "null") as well as a list of any redirects that led to the final request.
The Sec-From header is described in an internet draft by Adam Barth, Collin Jackson and Ian Hickson ([http://webblaze.cs.berkeley.edu/2009/origin/origin.txtan internet draft by Adam Barth, Collin Jackson and Ian Hickson]). The general format of the Sec-From header will be:
Sec-From: <origin> [<origin>]*
An <tt><origin></tt> is a combination of scheme, host and port. Unlike HTTP Referer, no path data or query string will be provided in the origin.
