Re: [spec-reviews] "With Credentials" flag possibly inconsistent with web architecture (#76) from Jonas Sicking on 2016-02-05 (public-webapps-github@w3.org from February 2016)

From: Jonas Sicking <notifications@github.com>
Date: Thu, 04 Feb 2016 16:07:09 -0800
To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Message-ID: <w3ctag/spec-reviews/issues/76/180113070@github.com>

Having thought about this some more, so here's some further thoughts.

I agree with the TAG that the way things currently work is that most APIs which is used for loading a resource simply take a URL. This is true in both JS libraries and in the built-in web platform APIs.

However, in practice what happens after that is that these APIs then add a default set of headers, and use a default verb, when requesting the resource. The exact headers and verb varies with the API (for better or worse). So when the request actually hits the wire, it's not just the URL which is sent, but significant amounts of other parameters as well.

Some of these APIs, especially APIs used specifically for loading a URL and returning the raw response unprocessed, additionally accept arguments which allows overriding the default headers and the default verb. So for example XHR and fetch() does this, but `<img>`, `<script>` and `background: url(X)` (in CSS) does not.

(An interesting nit here is that XHR doesn't actually have a default verb. It requires that a verb is always explicitly defined. But I don't think this has been particularly popular with authors, as demonstrated by the number of XHR-wrapping libraries which do use GET as default verb).

This all seems pretty similar to the CORS-mode. I.e. all APIs have a default behavior with regards to when credentials are included and when they are not, and whether CORS is enforced or not. Some of the APIs have parameters which allow overriding the default mode, but some do not.

I agree that it's unfortunate that there are now *three* types of parameters: verb, headers and CORS-mode. Prior to CORS there were just two.

I also agree that maybe we've used the wrong default CORS-mode in some APIs. So far we've aimed for a combination of backwards compatibility and safety. Which is why `<img>` defaults to "no-CORS" and XHR defaults to CORS-without-credentials.

Over the years I have personally gotten more requests for making more APIs support overriding the default verb/headers/CORS-mode. For example requests to allow setting headers on <img>, or using POST for <iframe>. The number of these requests that I have personally gotten outnumber the number of requests I've gotten for removing the .withCredentials parameter from XHR.

But this is based on personal experience and might differ from other people's experiences.

In any case, I agree that CORS increases the ways that you can configure a URL load, but it doesn't seem to me that it fundamentally changes how it's done.

There's certainly cost to the increase in configurability. There's always a cost to having choice. But there's benefit too, in the form of increased security.

Maybe we are disagreeing about if the benefit outweighs the cost.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/76#issuecomment-180113070

Received on Friday, 5 February 2016 00:07:45 UTC