W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Mark S. Miller <erights@google.com>
Date: Mon, 8 Jun 2009 17:59:02 -0700
Message-ID: <4d2fac900906081759g3ac7461dyb2364a7281e0cae7@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren <annevk@opera.com> wrote:

> I think we have some freedom to change some of the details here as long as
> the motivation is perfectly clear and agreed upon by those that have already
> implemented the draft.
> I sort of like the idea of having a new (named) constructor or maybe have
> the constructor take an argument to indicate credentials are supposed to be
> omitted. This would also allow us to drop the withCredentials flag.
That's wonderful news.

I second Tyler's earlier suggestion:

On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close <tyler.close@gmail.com> wrote:

> constructor: GuestXMLHttpRequest()
> credentials: no user credentials to any origin, including the same origin

where "credentials" includes normal HTTP credentials, cookies, identified
Origin headers, and client side certs.

(and as Tyler said in earlier email) instance API identical to the API of
XMLHttpRequest instances.

For concreteness, for the Origin header for these requests, I'll start with
the simplest proposal that meets my goals: no Origin header for either same
origin requests or cross origin requests. But for both the same origin case
and the cross origin case, I am actually indifferent between no Origin
header and an "Origin: null" header. If there's a reason for the "Origin:
null" header, I'm happy with that.

Received on Tuesday, 9 June 2009 00:59:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC