Re: XHR and sandboxed iframes (was: Re: XHR without user credentials) from Mark S. Miller on 2009-06-17 (public-webapps@w3.org from April to June 2009)

From: Mark S. Miller <erights@google.com>
Date: Wed, 17 Jun 2009 16:37:26 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900906171637w4a323bd6pd95a6a6eeb2abe6c@mail.gmail.com>

On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Wed, 17 Jun 2009, Mark S. Miller wrote:
> > > > >>
> > > > >> If it does transmit any of these currently, are there any
> > > > >> objections to revising the spec so that it doesn't?
> > >
> > > Why?
> >
> > So that the containing page can use such a credential removing service
> > to allow sanitized content within the page to make requests -- either to
> > its own or to other origins -- while preventing this content from
> > "speaking for" the containing page or the user.
>
> The contained page already can't speak on behalf of the containing page --
> that's what removing the Origin (and setting Origin to 'null') prevents.
>

"or the user." So what about

* HTTP auth info
* cookies
* client-side certs
* REFERRER

?

-- 
   Cheers,
   --MarkM

Received on Wednesday, 17 June 2009 23:38:02 UTC