W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Mark S. Miller <erights@google.com>
Date: Fri, 12 Jun 2009 16:34:09 -0700
Message-ID: <4d2fac900906121634u510e7d99le41e14ce0b36710b@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren <annevk@opera.com> wrote:

> I sort of like the idea of having a new (named) constructor or maybe have
> the constructor take an argument to indicate credentials are supposed to be
> omitted. This would also allow us to drop the withCredentials flag.

Starting with this new GuestXMLHttpRequest constructor, I am working on a
simpler cross-origin resource sharing proposal. (My working name is
"cors-lite". Thanks to Jasvir for inspiring the pun.) Some questions:

* What drafts need revision to bring this about? Obviously, cors itself. And
Adam's IETF I-D. Also in seems, <
http://dev.w3.org/2006/webapi/XMLHttpRequest-2/>. Is this the right version
to start from? What other documents might need coordinated revision?

* The existing XHR2 draft above specifies XMLHttpRequest in WebIDL as

    interface XMLHttpRequest : XMLHttpRequestEventTarget {
        //... API of instances...

In the favored style of WebIDL use, should I declare GuestXMLHttpRequest to
inherit from XMLHttpRequest, or should I move the above API to a shared
AbstractXMLHttpRequest and have both XMLHttpRequest and GuestXMLHttpRequest
inherit from it? AFAICT, these should result in identical language bindings,
so it's only a question of specification easthetics.

On Tue, Jun 9, 2009 at 12:22 AM, Adam Barth <w3c@adambarth.com> wrote:

> On Mon, Jun 8, 2009 at 5:59 PM, Mark S. Miller<erights@google.com> wrote:
> > For concreteness, for the Origin header for these requests, I'll start
> with
> > the simplest proposal that meets my goals: no Origin header for either
> same
> > origin requests or cross origin requests. But for both the same origin
> case
> > and the cross origin case, I am actually indifferent between no Origin
> > header and an "Origin: null" header. If there's a reason for the "Origin:
> > null" header, I'm happy with that.
> Please send "Origin: null" in these cases.  The problem with omitting
> the origin header is that the server can't tell if the request comes
> from a legacy client or if the header was removed in transit.

* Why does this argument not also apply to credential-free GuestXHR requests
back to the same origin? What server side behavior difference do you expect
between messages with no Origin and messages with "Origin: null". This
difference does not affect much anything I care about, so I'm still happy to
spec it as we agreed. I'd just like to understand the rationale. It makes
more sense to me for all GuestXHR requests be labeled the same way
regardless of the origin of the originating page. Either same way seems more
coherent to me than the current agreement.

> Also, the Referer header should be on your hit-list as a credential.  :)

Absolutely! Good catch. Thanks.
* Are there any other hidden credentials that we may have overlooked?

Received on Friday, 12 June 2009 23:34:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC