- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Thu, 19 Jun 2008 14:36:52 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: public-webapps@w3.org
- Message-ID: <OF6753EF46.2B97B5AA-ON8825746D.0073E85F-8825746D.0076BB91@us.ibm.com>
> > Maciej Stachowiak wrote: > > > > > > On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote: ...snip... > > > I mean, I guess > > it's possible people will do this, but people could add > > "Access-Control-Allow-Credentials" site-wide too. And if we add > > "Access-Control-Allow-Credentials-I-Really-Mean-It", they'll add even more. > > Yes, this is certainly a possibility. But my hope is that this will > happen to a smaller extent. > I share the hope "smaller extent" hope with Jonas, and his latest proposals look good to me. My assumption is that 99% of all cross-site XHR usage will not require credentials/cookies. Therefore, what makes sense is a simple way that server developers can opt-in to credential-free cross-site XHR which tells the browser to allow cross-site credential-free XHR to their site. Then, in an advanced section of the AC spec, talk about how some workflows might want credentials to be sent, and here is the extra header to enable credentials (Access-Control-Allow-Credentials), but this section of the spec should include SHOUTING TEXT about potential dangers and instruct the developer that he should not enable transmission of credentials unless he is sure that he needs it and he is sure that he knows what he is doing (such as understanding what a CSRF attack is). I realize that some developers won't read the spec carefully or notice the shouting text, but I expect most tutorials and examples on the Web will follow the lead from the spec and help to teach people steer clear of the Access-Control-Allow-Credentials header unless they know what they are doing. Jon
Received on Thursday, 19 June 2008 21:39:49 UTC