Re: XHR without user credentials from Mark S. Miller on 2009-06-08 (public-webapps@w3.org from April to June 2009)

From: Mark S. Miller <erights@google.com>
Date: Mon, 8 Jun 2009 14:35:21 -0700
To: Anne van Kesteren <annevk@opera.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900906081435s1a5ececey7ff5c484c8352400@mail.gmail.com>

On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren <annevk@opera.com> wrote:

> > We already have a feature to do a request without credentials. Set the
> > withCredentials flag to false. (If you meant something else that was not
> > clear from the context, at least to me.)
>
> Though saying that I realize this is currently a strictly cross-origin
> feature. I suppose we can change that but having the defaults be different
> is somewhat awkward.
>

Good. Thanks for considering this extension. It is indeed important to
suppress presentation of credentials even for same origin requests.

When the withCredentials flag is set to false, does it also issue an
"Origin: null" header? If not, then -- given the recommended server behavior
-- this flag isn't doing its job, since an identified origin header is still
a form of credential. As mentioned earlier, for credential-free same origin
requests, it would be adequate either to say "Origin: null" or to leave the
Origin header absent.

-- 
   Cheers,
   --MarkM

Received on Monday, 8 June 2009 21:35:57 UTC