On Sep 20, 2016, at 7:54 PM, John R. Levine <johnl(_at_)iecc(_dot_)com> wrote:
There's a reason why browsers send "Origin:" headers, the MUA should
do the same when doing POST requests based on email headers.
MUAs have been doing GETs and, for messages with forms in them, POSTs
for over a decade. What origin headers do they send now? Why is this
different?
I take no issue with GETs. The "Origin:" header is comparatively new,
and AFAIK should be present in all POSTs that are triggered via email
content.
Perhaps some of the MUAs that submit forms (sorry, I don't use any that
do) predate "Origin:". It may also possible that in this context adding
"Origin" is not a useful cross-origin security measure. I hope someone
more knowlegeable in HTTP security will chime in.
--
--
Viktor.