W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Mar 2013 07:20:33 -0400
Message-ID: <CADnb78jp=NvqayAESzG9X1xjWokc0awLvizDMEUj-T9sf39uwQ@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WHATWG <whatwg@whatwg.org>
On Mon, Mar 18, 2013 at 3:57 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> By not including cookies or other login information you are already
> forcing the capability model since you can't tell the connection from
> one that is server-to-server.
> Including the referrer header, at least by default, seems very useful
> still since there is lots of infrastructure in servers which are using
> those for logging purposes.

I don't disagree, but they wanted to avoid exposing any kind of
originating data so people could not make trust decisions based on
that at all (however silly doing that may be). See
http://www.w3.org/TR/UMP/#request-sending in particular.

I don't really mind what we do here either way.

Received on Tuesday, 19 March 2013 11:20:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC