> On Sep 20, 2016, at 7:54 PM, John R. Levine <johnl@xxxxxxxx> wrote: > >> There's a reason why browsers send "Origin:" headers, the MUA should >> do the same when doing POST requests based on email headers. > > MUAs have been doing GETs and, for messages with forms in them, POSTs > for over a decade. What origin headers do they send now? Why is this > different? I take no issue with GETs. The "Origin:" header is comparatively new, and AFAIK should be present in all POSTs that are triggered via email content. Perhaps some of the MUAs that submit forms (sorry, I don't use any that do) predate "Origin:". It may also possible that in this context adding "Origin" is not a useful cross-origin security measure. I hope someone more knowlegeable in HTTP security will chime in. -- -- Viktor.