W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 8 Jun 2009 17:03:53 -0700
Message-ID: <63df84f0906081703p75df27fdqb525ac9f4264166b@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "Mark S. Miller" <erights@google.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
For what it's worth, it's too late to remove the withCredentials flag
from Firefox 3.5.

Not putting any demands on the spec though.

/ Jonas

On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren<annevk@opera.com> wrote:
> On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com>
> wrote:
>> When the withCredentials flag is set to false, does it also issue an
>> "Origin: null" header? If not, then -- given the recommended server
>> behavior -- this flag isn't doing its job, since an identified origin header
>> is still a form of credential. As mentioned earlier, for credential-free
>> same origin requests, it would be adequate either to say "Origin: null" or
>> to leave the Origin header absent.
> The flag is currently not doing "its job" then. When we designed this
> feature we made it only affect HTTP authentication and cookies.
> I think we have some freedom to change some of the details here as long as
> the motivation is perfectly clear and agreed upon by those that have already
> implemented the draft.
> I sort of like the idea of having a new (named) constructor or maybe have
> the constructor take an argument to indicate credentials are supposed to be
> omitted. This would also allow us to drop the withCredentials flag.
> --
> Anne van Kesteren
> http://annevankesteren.nl/
Received on Tuesday, 9 June 2009 00:04:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC