W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Mark S. Miller <erights@google.com>
Date: Mon, 8 Jun 2009 14:35:21 -0700
Message-ID: <4d2fac900906081435s1a5ececey7ff5c484c8352400@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren <annevk@opera.com> wrote:

> > We already have a feature to do a request without credentials. Set the
> > withCredentials flag to false. (If you meant something else that was not
> > clear from the context, at least to me.)
>
> Though saying that I realize this is currently a strictly cross-origin
> feature. I suppose we can change that but having the defaults be different
> is somewhat awkward.
>

Good. Thanks for considering this extension. It is indeed important to
suppress presentation of credentials even for same origin requests.

When the withCredentials flag is set to false, does it also issue an
"Origin: null" header? If not, then -- given the recommended server behavior
-- this flag isn't doing its job, since an identified origin header is still
a form of credential. As mentioned earlier, for credential-free same origin
requests, it would be adequate either to say "Origin: null" or to leave the
Origin header absent.

-- 
   Cheers,
   --MarkM
Received on Monday, 8 June 2009 21:35:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT