W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Jun 2009 11:19:15 -0700
Message-ID: <7789133a0906091119s207cc58eq4a3fdb23cdf916f4@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 9:38 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Tue, Jun 9, 2009 at 9:29 AM, Adam Barth<w3c@adambarth.com> wrote:
>>  Isn't the whole
>> point of this feature to be able to distinguish guest and non-guest?
>
> So requests from XMLHttpRequest have an Origin header, and requests
> from GuestXMLHttpRequest don't. The server should treat requests
> coming from GuestXMLHttpRequest as bits arriving from an unknown
> client (ie: a "guest"), and so only authorize them based on
> information explicitly included in the request.

Given an HTTP request, what algorithm should the server use to
determine whether the request was generated by GuestXMLHttpRequest?

Adam
Received on Tuesday, 9 June 2009 18:20:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT