W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 08 Jun 2009 23:44:49 +0200
To: "Mark S. Miller" <erights@google.com>
Cc: "Tyler Close" <tyler.close@gmail.com>, "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uu76ozno64w2qv@anne-van-kesterens-macbook.local>
On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com>  
> When the withCredentials flag is set to false, does it also issue an
> "Origin: null" header? If not, then -- given the recommended server  
> behavior -- this flag isn't doing its job, since an identified origin  
> header is still a form of credential. As mentioned earlier, for  
> credential-free same origin requests, it would be adequate either to say  
> "Origin: null" or to leave the Origin header absent.

The flag is currently not doing "its job" then. When we designed this  
feature we made it only affect HTTP authentication and cookies.

I think we have some freedom to change some of the details here as long as  
the motivation is perfectly clear and agreed upon by those that have  
already implemented the draft.

I sort of like the idea of having a new (named) constructor or maybe have  
the constructor take an argument to indicate credentials are supposed to  
be omitted. This would also allow us to drop the withCredentials flag.

Anne van Kesteren
Received on Monday, 8 June 2009 21:45:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC