- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 8 Jun 2009 17:03:53 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "Mark S. Miller" <erights@google.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
For what it's worth, it's too late to remove the withCredentials flag from Firefox 3.5. Not putting any demands on the spec though. / Jonas On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren<annevk@opera.com> wrote: > On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com> > wrote: >> >> When the withCredentials flag is set to false, does it also issue an >> "Origin: null" header? If not, then -- given the recommended server >> behavior -- this flag isn't doing its job, since an identified origin header >> is still a form of credential. As mentioned earlier, for credential-free >> same origin requests, it would be adequate either to say "Origin: null" or >> to leave the Origin header absent. > > The flag is currently not doing "its job" then. When we designed this > feature we made it only affect HTTP authentication and cookies. > > I think we have some freedom to change some of the details here as long as > the motivation is perfectly clear and agreed upon by those that have already > implemented the draft. > > I sort of like the idea of having a new (named) constructor or maybe have > the constructor take an argument to indicate credentials are supposed to be > omitted. This would also allow us to drop the withCredentials flag. > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > >
Received on Tuesday, 9 June 2009 00:04:49 UTC