W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 8 Jun 2009 14:33:57 -0700
Message-ID: <5691356f0906081433v1c4c0f62ja90c6eae921c73aa@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "Mark S. Miller" <erights@google.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren<annevk@opera.com> wrote:
> On Mon, 08 Jun 2009 23:13:29 +0200, Anne van Kesteren <annevk@opera.com> wrote:
>> On Mon, 08 Jun 2009 19:24:03 +0200, Tyler Close <tyler.close@gmail.com>
>> wrote:
>>> For CORS <http://www.w3.org/TR/access-control/>, and other parts of
>>> web-apps, I think the above agreement is the important take-away from
>>> this discussion. For sites with advertising, or other third-party
>>> widgets, it would be nice to have a way for code to issue network
>>> requests without impersonating the hosting page's Origin.
>> We already have a feature to do a request without credentials. Set the
>> withCredentials flag to false. (If you meant something else that was not
>> clear from the context, at least to me.)
> Though saying that I realize this is currently a strictly cross-origin feature. I
> suppose we can change that but having the defaults be different is
> somewhat awkward.

Right, there is also a need for same origin requests without
credentials. For example, an advertisement on a social networking site
could be able to send requests to the social networking site, just not
under the user's credentials.

I believe something like the following would satisfy the feature request:

constructor: XMLHttpRequest()
credentials: by default only back to same origin

constructor: GuestXMLHttpRequest()
credentials: no user credentials to any origin, including the same origin

I believe the first case is what is currently implemented in Firefox 3.5.


"Waterken News: Capability security on the Web"
Received on Monday, 8 June 2009 21:34:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC