W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Giovanni Campagna <scampa.giovanni@gmail.com>
Date: Wed, 10 Jun 2009 13:46:18 +0200
Message-ID: <65307430906100446t4dfbc24atdb18910a0e3f2337@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
2009/6/9 Anne van Kesteren <annevk@opera.com>:
> On Tue, 09 Jun 2009 21:15:18 +0200, Tyler Close <tyler.close@gmail.com> wrote:
>> Could you provide a code example that shows how to send an XHR request
>> to the same Origin without credentials using the HTML5 <iframe>
>> element?
>
>  <iframe sandbox="allow-scripts" src="..."></iframe>
>
> where ... is some page that does an XMLHttpRequest to the a page that is same origin with the page that contains the <iframe>. (The page being fetched will have to specify Access-Control-Allow-Origin:* as the request is coming from a unique origin by virtue of the sandbox attribute. The request will include an Origin header but the value will always be null.)
>
> Also, if the document="" or some such attribute is introduced the code will no longer have to be on a separate page.

You don't need document="", as long as all browsers implement data: URIs.

>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>
Received on Wednesday, 10 June 2009 11:46:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT