W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 19:03:09 -0700
Message-ID: <7789133a0906121903p68c3aabavc6918e817ed36249@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
2009/6/12 Mark S. Miller <erights@google.com>:
> On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth <w3c@adambarth.com> wrote:
>> On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<erights@google.com> wrote:
>> > For concreteness, for the Origin header for these requests, I'll start with
>> > the simplest proposal that meets my goals: no Origin header for either same
>> > origin requests or cross origin requests. But for both the same origin case
>> > and the cross origin case, I am actually indifferent between no Origin
>> > header and an "Origin: null" header. If there's a reason for the "Origin:
>> > null" header, I'm happy with that.
>>
>> Please send "Origin: null" in these cases.  The problem with omitting
>> the origin header is that the server can't tell if the request comes
>> from a legacy client or if the header was removed in transit.
>
> * Why does this argument not also apply to credential-free GuestXHR requests back to the same origin?

It does.  If you want to send a credential-free XHR, please use
Origin: null.  That is, in fact, what the null means.

> What server side behavior difference do you expect between messages with no Origin and messages with "Origin: null".

You'll have to include Origin: null for POST requests.  You should
include it for GET as well.

> This difference does not affect much anything I care about, so I'm still happy to spec it as we agreed.

Great.

> I'd just like to understand the rationale. It makes more sense to me for all GuestXHR requests be labeled the same way regardless of the origin of the originating page. Either same way seems more coherent to me than the current agreement.

Yes.  I agree.  They should all have Origin: null.

Adam
Received on Saturday, 13 June 2009 02:04:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT