Re: XHR without user credentials

For what it's worth, it's too late to remove the withCredentials flag
from Firefox 3.5.

Not putting any demands on the spec though.

/ Jonas

On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren<annevk@opera.com> wrote:
> On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com>
> wrote:
>>
>> When the withCredentials flag is set to false, does it also issue an
>> "Origin: null" header? If not, then -- given the recommended server
>> behavior -- this flag isn't doing its job, since an identified origin header
>> is still a form of credential. As mentioned earlier, for credential-free
>> same origin requests, it would be adequate either to say "Origin: null" or
>> to leave the Origin header absent.
>
> The flag is currently not doing "its job" then. When we designed this
> feature we made it only affect HTTP authentication and cookies.
>
> I think we have some freedom to change some of the details here as long as
> the motivation is perfectly clear and agreed upon by those that have already
> implemented the draft.
>
> I sort of like the idea of having a new (named) constructor or maybe have
> the constructor take an argument to indicate credentials are supposed to be
> omitted. This would also allow us to drop the withCredentials flag.
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>

Received on Tuesday, 9 June 2009 00:04:49 UTC