W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 09 Jun 2009 21:09:51 +0200
To: "Tyler Close" <tyler.close@gmail.com>, "Adam Barth" <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uu9t6p0t64w2qv@annevk-t60>
On Tue, 09 Jun 2009 18:38:47 +0200, Tyler Close <tyler.close@gmail.com> wrote:
> So requests from XMLHttpRequest have an Origin header, and requests
> from GuestXMLHttpRequest don't. The server should treat requests
> coming from GuestXMLHttpRequest as bits arriving from an unknown
> client (ie: a "guest"), and so only authorize them based on
> information explicitly included in the request.

FWIW, I think we need a little more motivation for GuestXMLHttpRequest. It seems to me that a seamless sandboxed <iframe> addresses the use case brought forward and does so better (and more complete) than adding a new constructor for XMLHttpRequest.

Anne van Kesteren
Received on Tuesday, 9 June 2009 19:10:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC