- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 17 Feb 2010 11:39:26 +0100
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WebApps WG" <public-webapps@w3.org>
On Wed, 17 Feb 2010 11:33:16 +0100, Jonas Sicking <jonas@sicking.cc> wrote: > I do sort of like the idea that UMP is the "credential less model". > I.e. that we essentially have two modes: UMP, with no user credentials > (cookies, auth headers, etc) and no server credentials (origin > header), and full on with-credentials (with cookies, origin etc). Right, this is what I am proposing with UMP being new XMLHttpRequest(true). > There are a few problems however: > * Need to figure out the syntax to choose between the two modes > * UMP doesn't include the referer header (right?). I suspect sites > will be sad about this as it is often used for things not related to > security. Possibly they'll be sad enough that they'll opt in to > credentials just to get the referrer header sent. That defeats the > purpose of having credential less requests. Sending the Referer header would defeat the purpose of origin being a globally unique identifier. > * Same-site XHR defaults to with-credentials. But cross-site I > strongly want to default to without credentials. This complicates the > syntax issue. Well, we'd have to give that up, basically. Having said that, I guess we're stuck with withCredentials, however sad. I have made the change that open() raises an INVALID_ACCESS_ERR if you provide either username or password for a cross-origin request. That seems relatively safe and better than simply ignoring the arguments. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 17 February 2010 10:39:58 UTC