- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 8 Jun 2009 14:33:57 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "Mark S. Miller" <erights@google.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren<annevk@opera.com> wrote: > On Mon, 08 Jun 2009 23:13:29 +0200, Anne van Kesteren <annevk@opera.com> wrote: >> On Mon, 08 Jun 2009 19:24:03 +0200, Tyler Close <tyler.close@gmail.com> >> wrote: >>> For CORS <http://www.w3.org/TR/access-control/>, and other parts of >>> web-apps, I think the above agreement is the important take-away from >>> this discussion. For sites with advertising, or other third-party >>> widgets, it would be nice to have a way for code to issue network >>> requests without impersonating the hosting page's Origin. >> >> We already have a feature to do a request without credentials. Set the >> withCredentials flag to false. (If you meant something else that was not >> clear from the context, at least to me.) > > Though saying that I realize this is currently a strictly cross-origin feature. I > suppose we can change that but having the defaults be different is > somewhat awkward. Right, there is also a need for same origin requests without credentials. For example, an advertisement on a social networking site could be able to send requests to the social networking site, just not under the user's credentials. I believe something like the following would satisfy the feature request: constructor: XMLHttpRequest() credentials: by default only back to same origin constructor: GuestXMLHttpRequest() credentials: no user credentials to any origin, including the same origin I believe the first case is what is currently implemented in Firefox 3.5. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 8 June 2009 21:34:30 UTC