- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 08 Jun 2009 23:44:49 +0200
- To: "Mark S. Miller" <erights@google.com>
- Cc: "Tyler Close" <tyler.close@gmail.com>, "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com> wrote: > When the withCredentials flag is set to false, does it also issue an > "Origin: null" header? If not, then -- given the recommended server > behavior -- this flag isn't doing its job, since an identified origin > header is still a form of credential. As mentioned earlier, for > credential-free same origin requests, it would be adequate either to say > "Origin: null" or to leave the Origin header absent. The flag is currently not doing "its job" then. When we designed this feature we made it only affect HTTP authentication and cookies. I think we have some freedom to change some of the details here as long as the motivation is perfectly clear and agreed upon by those that have already implemented the draft. I sort of like the idea of having a new (named) constructor or maybe have the constructor take an argument to indicate credentials are supposed to be omitted. This would also allow us to drop the withCredentials flag. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 8 June 2009 21:45:36 UTC