W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 18 Mar 2013 12:57:22 -0700
Message-ID: <CA+c2ei9n0-Oj64Xavz3ue0XFn5yxBWGEaZyJX3Z=8u_PGOwNCA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>
On Mon, Mar 18, 2013 at 5:43 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> I tried to address both by pointing to UMP which wants both a) and b).
>>> The alternative would be to use <iframe sandbox=allow-scripts> which
>>> exhibits the same behavior given the unique origin (that also blocks
>>> Referer). I believe at least Maciej expressed interest in supporting
>>> the UMP use case.
>>
>> But *why* does UMP want this behavior? What's the use case?
>
> I think they do not want to expose any kind of identifying information
> in the request to sort of force the capability model.

By not including cookies or other login information you are already
forcing the capability model since you can't tell the connection from
one that is server-to-server.

Including the referrer header, at least by default, seems very useful
still since there is lots of infrastructure in servers which are using
those for logging purposes.

>> In the Firefox implementation { anon:true } does for all requests what
>> withCredentials=false does for cross-origin requests.
>
> I see. Is it called anon already or still mozAnon? There's an
> outstanding request to rename it to anonymous as most other terms are
> spelled out.

I don't know what we're currently using off the top of my head.

/ Jonas
Received on Monday, 18 March 2013 19:58:20 GMT

This archive was generated by hypermail 2.3.1 : Monday, 18 March 2013 19:58:20 GMT