W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 9 Jun 2009 12:15:18 -0700
Message-ID: <5691356f0906091215s1518fc35q66aafc47ef82babc@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Adam Barth <w3c@adambarth.com>, "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 12:09 PM, Anne van Kesteren<annevk@opera.com> wrote:
> On Tue, 09 Jun 2009 18:38:47 +0200, Tyler Close <tyler.close@gmail.com> wrote:
>> So requests from XMLHttpRequest have an Origin header, and requests
>> from GuestXMLHttpRequest don't. The server should treat requests
>> coming from GuestXMLHttpRequest as bits arriving from an unknown
>> client (ie: a "guest"), and so only authorize them based on
>> information explicitly included in the request.
>
> FWIW, I think we need a little more motivation for GuestXMLHttpRequest. It seems to me that a seamless sandboxed <iframe> addresses the use case brought forward and does so better (and more complete) than adding a new constructor for XMLHttpRequest.

Could you provide a code example that shows how to send an XHR request
to the same Origin without credentials using the HTML5 <iframe>
element?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 9 June 2009 19:15:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT