W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 18 Mar 2013 12:43:04 +0000
Message-ID: <CADnb78i9so1UACsOwKH94BeQ1MfAuVuwL+0cB-dFnHzKP8AcgA@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WHATWG <whatwg@whatwg.org>
On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I tried to address both by pointing to UMP which wants both a) and b).
>> The alternative would be to use <iframe sandbox=allow-scripts> which
>> exhibits the same behavior given the unique origin (that also blocks
>> Referer). I believe at least Maciej expressed interest in supporting
>> the UMP use case.
> But *why* does UMP want this behavior? What's the use case?

I think they do not want to expose any kind of identifying information
in the request to sort of force the capability model.

> In the Firefox implementation { anon:true } does for all requests what
> withCredentials=false does for cross-origin requests.

I see. Is it called anon already or still mozAnon? There's an
outstanding request to rename it to anonymous as most other terms are
spelled out.

Received on Monday, 18 March 2013 12:43:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC