W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XMLHttpRequest Object feedback

From: Jim Ley <jim@jibbering.com>
Date: Sun, 9 Apr 2006 15:24:48 +0100
Message-ID: <000601c65be1$5be8caf0$2402a8c0@Snufkin>
To: <public-webapi@w3.org>

"Jonas Sicking" <jonas@sicking.cc>
>> There's no arguably about it, many firewall's block it, as do others to 
>> anonymise user activity through the web, such things cannot be relied on. 
>> I also don't see the author use cases for shopping cart checks?  Surely 
>> these use cookie based state methods.
>
> Cookie based solutions won't work since cookies are sent with XHR. So to 
> the site it'll look like this was a real request.

XHR can only request the same site in normal situations, so now I really 
don't understand what the problem you're trying to illustrate is?  There are 
much bigger problems with allowing cross-site XHR than can be solved with 
referrer.

>> Site authors already cannot rely on referrer, so quite why they should be 
>> able to rely on it with XHR I don't know, forcing special behavior on 
>> UA's depending on where a request comes from seems to be something you 
>> should do only in the most extreme situation.
>
> Saying that referrer can't be overriden isn't really 'forcing special 
> behaviour'.

The request was for referrer to be required, that's the special behaviour, 
unless you make it also required, I see no point in requiring it can't be 
overridden...

Jim. 
Received on Sunday, 9 April 2006 14:25:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT