Re: XHR without user credentials

On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close<tyler.close@gmail.com> wrote:
> On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren<annevk@opera.com> wrote:
>> On Mon, 08 Jun 2009 23:13:29 +0200, Anne van Kesteren <annevk@opera.com> wrote:
>>> On Mon, 08 Jun 2009 19:24:03 +0200, Tyler Close <tyler.close@gmail.com>
>>> wrote:
>>>> For CORS <http://www.w3.org/TR/access-control/>, and other parts of
>>>> web-apps, I think the above agreement is the important take-away from
>>>> this discussion. For sites with advertising, or other third-party
>>>> widgets, it would be nice to have a way for code to issue network
>>>> requests without impersonating the hosting page's Origin.
>>>
>>> We already have a feature to do a request without credentials. Set the
>>> withCredentials flag to false. (If you meant something else that was not
>>> clear from the context, at least to me.)
>>
>> Though saying that I realize this is currently a strictly cross-origin feature. I
>> suppose we can change that but having the defaults be different is
>> somewhat awkward.
>
> Right, there is also a need for same origin requests without
> credentials. For example, an advertisement on a social networking site
> could be able to send requests to the social networking site, just not
> under the user's credentials.
>
> I believe something like the following would satisfy the feature request:
>
> constructor: XMLHttpRequest()
> credentials: by default only back to same origin
>
> constructor: GuestXMLHttpRequest()
> credentials: no user credentials to any origin, including the same origin

But if there's a third-party script, say from a advertisement, running
in your page, what's to prevent that script from instantiating an
object that does send credentials?

/ Jonas

Received on Tuesday, 9 June 2009 00:26:27 UTC