=== Diversion from CORS Origin header ===
TODO: explain why We've chosen to create a new header (and not to blend in with the CORS Origin header) so that we diverged from CORShave support for redirect chains and are not limited to protecting XHR requests. AlsoAs a result, a name different from "Origin" needed to be chosen. '''What's in a name?''' <tt>Sec-From</tt> was chosen for two simple reasons. First, according to X, <tt>Sec-</tt> cannot be set or changed from XML HTTP requests and are more difficult to spoof. Second, since the header will describe what origins ''caused'' the request, and not in what context the result will be rendered, "From"seemed to be an appropriate descriptor.
=== Why not include a frame list? ===
