I updated my web security proposal with a fairly large set of changes. I removed Cross Site Request Forgery from the scope of the proposal and instead will focus on the implementation of the Origin header. The syntax has also been expanded to allow policy creation for a larger set of content types, e.g. not just JavaScript.