Canmove, confirm
1,537
edits
Changes
→Selection of "null" token
=== Selection of "null" token ===
TODO: describe why we chose "null" instead of something like "redacted" or "private" or "fail".
In some scenarios, the string "null" is sent in lieu of origin information. This is done to indicate that the cause of the request is not trustworthy, even though it may come from the same origin. Certain requests are not generally useful as state-changing triggers (like requests for stylesheets, images or window navigation) and probably should not be trusted even if sent same-origin.
We chose the string "null" because of its neutral connotations. The Sec-From header must ''always'' be sent to indicate support from the User Agent; "null" seems to indicate that, though Sec-From is supported, the User Agent didn't think the request should be trusted to trigger state change. Other tokens could be used that more aptly describe the meaning of an "empty but present" header value: "redacted", "private" or "unsafe". "null" is fairly standard across HTTP, though, and for now we have opted to use it.
=== Diversion from CORS Origin header ===
