W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Jun 2009 09:29:15 -0700
Message-ID: <7789133a0906090929r54fb4307ic914062fdaff91f0@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 9:19 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth<w3c@adambarth.com> wrote:
>> Please send "Origin: null" in these cases.  The problem with omitting
>> the origin header is that the server can't tell if the request comes
>> from a legacy client or if the header was removed in transit.
>
> For the GuestXMLHttpRequest scenario, why should the server
> distinguish between these two cases?

In one case, the request is coming from the non-guest part of the page
in a legacy browser.  In the other case, the request is coming from
the guest part of the page in a supporting browser.  Isn't the whole
point of this feature to be able to distinguish guest and non-guest?

Adam
Received on Tuesday, 9 June 2009 16:30:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT