W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 20 Mar 2013 17:31:14 -0400
Message-ID: <CADnb78jhZ9jqX+sE2Vqe0iH7w38qbQsJwVRVwNO4yPLNRytOHg@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WHATWG <whatwg@whatwg.org>
On Wed, Mar 20, 2013 at 12:54 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Tue, Mar 19, 2013 at 8:08 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> Not if the referring URL was a capability, which I think might have
>> been the point.
> I don't understand what that means. Could you explain?

If you do an XMLHttpRequest from a document hosted at
/superlonghashkeythatactsasauthenticationtoken you probably do not
want to expose the Referer header. Now 1) this document should be
hosted over https so this is less likely to be a concern given actual
implementations of Referer over https and b) for same-origin requests
this matters less (if at all), it still seems better if anonymous is

> That said, allowing both anonymous and non-anonymous requests to do
> xhr.setRequestHeader("referer", "") might be a good idea. I.e. being
> able to set it explicitly to the empty string.


Does anonymous also mean not handling 401 by prompting the user? What about 407?

Received on Wednesday, 20 March 2013 21:31:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC