Merge pull request #48 from gdamjan/master

evancz · web-flow · commit 615275c1dac5 · 2018-11-18T18:54:07.000-05:00
Origin instead of Host
diff --git a/src/Http.elm b/src/Http.elm
@@ -772,7 +772,7 @@ This is called [`withCredentials`][wc] in JavaScript, and it allows a couple
 other risky things as well. It can be useful if `www.example.com` needs to
 talk to `uploads.example.com`, but it should be used very carefully!
 
-For example, every HTTP request includes a `Host` header revealing the domain,
+For example, every HTTP request includes a `Origin` header revealing the domain,
 so any request to `facebook.com` reveals the website that sent it. From there,
 cookies can be used to correlate browsing habits with specific users. “Oh, it
 looks like they visited `example.com`. Maybe they want ads about examples!”
