W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 3 Feb 2010 09:57:58 -0800
Message-ID: <5691356f1002030957j1dfa2b5do7a6ca6d6fddbfca1@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Tue, Feb 2, 2010 at 11:37 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> I think the credentials flag should specifically affect cookies, http
> authentication, and client-side SSL certs, but not proxy authentication (or,
> obviously, Origin). Anne, can you fix this?

Perhaps the best way to fix this is to have the definition of the
credentials flag reference UMP.

I think it's worth noting that Adam Barth's review of UMP went into
significant detail on the definition of credentials, but I don't
recall him raising similar points about CORS, though they would
obviously apply. I take this as further evidence that having separate
specifications improves clarity.

> A CORS message would clearly not satisfy the declarative definition of "a
> Uniform Request". Since this definition is based partly on what MUST NOT be
> included, I don't see any way to extend it.

CORS must not claim that its requests-with-credentials are uniform
requests. That would be incorrect and a violation of the UMP spec.
Instead, CORS could define its requests as
uniform-requests-plus-credentials and give this new construct a new
name. In programmer speak, CORS could extend UMP using composition
rather than inheritance.

> No existing CORS implementation will satisfy the requirements for a Uniform
> Request, as far as I can tell, since it includes "information obtained
> from... the referring resource, including its origin". It is possible to
> send a request satisfying the "Uniform Request" requirements by passing the
> right parameters to CORS (a "unique identifier" origin would result in
> "Origin: null" being sent), so the subset relation exists at the protocol
> level. But I don't think any implementation will end up passing the right
> parameters to CRS, so the intersection of the subsets of CORS supported by
> existing implementations does not overlap the UMP subset of CORS.

If it's not possible to coax an existing implementation into sending
"Origin: null", then, in the extreme, it's possible to create a newly
generated domain name and send the request from there, so that the
Origin header has a value to which no semantics are attached.

Again, I'm *not* arguing that existing CORS implementations provide a
clean and usable interface for using UMP. They clearly don't. I'm only
arguing that UMP defines functionality that existing implementations
have implicitly agreed to support, since they support sending of
semantically equivalent messages (there was never any guarantee that
the Origin header contained information that was meaningful to the
server). As you pointed out, there's still the issue of redirect
handling, but AFAICT, CORS implementations are not perfectly aligned
here either.

We should open a new thread on the redirect question, as there are
clearly issues that remain to be solved both within CORS itself and
between CORS and UMP. I'd also like the opportunity to convince the WG
that the UMP handling of redirects is the technically superior choice.


"Waterken News: Capability security on the Web"
Received on Wednesday, 3 February 2010 17:58:31 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:22 UTC