W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 17 Mar 2013 10:25:22 -0700
Message-ID: <CA+c2ei9822RxrPi89JETg_NAW9=6ywe7hQckmefvtt_vnYNxxw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>
On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Sun, Mar 17, 2013 at 1:10 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Mon, Mar 11, 2013 at 4:31 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> Preceded the specification? I doubt that. When was it added? The
>>> specification was done start of 2010 somewhere based on the
>>> requirements coming from UMP:
>>> http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0340.html
>>
>> I see that my attempt at focusing on the important issues failed.
>> Would you like to debate whether the new syntax constitutes a new
>> feature or would you like to debate the technical issues of whether we
>> want the a) and b) behavior?
>
> I tried to address both by pointing to UMP which wants both a) and b).
> The alternative would be to use <iframe sandbox=allow-scripts> which
> exhibits the same behavior given the unique origin (that also blocks
> Referer). I believe at least Maciej expressed interest in supporting
> the UMP use case.

But *why* does UMP want this behavior? What's the use case?

I think there is value in indicating which webpage is making the
request. The problem that I understood UMP wanting to solve was the
confused deputy problem where it looked like the user was making the
request rather than the webpage.

> If anon:true means no more than withCredentials=false we should call
> it withCredentials instead as EventSource does at the moment. Although
> given XMLHttpRequest already has withCredentials there would be
> nothing new in that addition and generally we've refrained from adding
> such duplicate features.

In the Firefox implementation { anon:true } does for all requests what
withCredentials=false does for cross-origin requests.

/ Jonas
Received on Sunday, 17 March 2013 17:26:18 GMT

This archive was generated by hypermail 2.3.1 : Sunday, 17 March 2013 17:26:18 GMT