Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Wed, 17 Jun 2009, Mark S. Miller wrote:
> > > > >>
> > > > >> If it does transmit any of these currently, are there any
> > > > >> objections to revising the spec so that it doesn't?
> > >
> > > Why?
> >
> > So that the containing page can use such a credential removing service
> > to allow sanitized content within the page to make requests -- either to
> > its own or to other origins -- while preventing this content from
> > "speaking for" the containing page or the user.
>
> The contained page already can't speak on behalf of the containing page --
> that's what removing the Origin (and setting Origin to 'null') prevents.
>

"or the user." So what about

* HTTP auth info
* cookies
* client-side certs
* REFERRER

?

-- 
   Cheers,
   --MarkM

Received on Wednesday, 17 June 2009 23:38:02 UTC