Re: [XHR2] AnonXMLHttpRequest()

On Tue, Feb 2, 2010 at 11:37 PM, Maciej Stachowiak <> wrote:
> On Feb 2, 2010, at 9:42 PM, Tyler Close wrote:
> On Tue, Feb 2, 2010 at 5:14 PM, Maciej Stachowiak <> wrote:
> On Feb 2, 2010, at 11:15 AM, Tyler Close wrote:
> On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak <> wrote:
> I'm curious what practical differences there are between CORS with the
> credentials flag
> set to false and the origin set to "null", and UMP. Are there any?
> The credentials flag in CORS is underspecified, so it's hard to answer
> this question.
> Can you be more specific? What is underspecified about it? Sounds like
> something we should fix.
> Nowhere does CORS define what a credential is. Nowhere does it list
> specific credentials a browser may have but should not use when the
> credential flag is false. Does CORS treat the Origin header as a
> credential? What other identifiers are not credentials? What about
> proxy credentials?
> Fair point. It looks like the only actual statement about the effect of the
> credentials flag is:
> "Whenever the make a request steps are applied, make a request to request
> URL, using method request method, entity body request entity body, including
> the custom request headers, and include credentials if the credentials
> flag is true (e.g. HTTP authentication data and cookies)."
> There's two problems with this:
> (1) It's not normatively defined what constitutes a credential.
> (2) It says to include credentials when the credentials flag is true, but it
> doesn't say they must not be included when the credentials flag is false.
> I think the credentials flag should specifically affect cookies, http
> authentication, and client-side SSL certs, but not proxy authentication (or,
> obviously, Origin). Anne, can you fix this?

First off, note that we are talking about *user* credentials here.
This is why Origin is not included. Origin is a website credential,
not a user credential. CORS always include the website credentials in
the form of Origin header and referrer.

In addition to the list you mention, firefox never shares http
keep-alive connections between requests with credentials and requests
without. This also means that a "normal" request from for example a
<img> or <iframe> will never share keep-alive connection with a
credential-less CORS request.

We do this because some protocols, notably NTLM, authenticate the
keep-alive connection, not the individual requests, IIRC.

The general rule of thumb is that anything the UA adds to the request
that the website can use to uniquely identify the request as coming
from the users browser is a user credential. So while the UA string in
combination with IP number can be used to make a reasonably strong
guess as to the identity of the user, it's not strong enough to
actually identify the user, thus it does not count as user
credentials. But I definitely agree that we should have a normative
list which includes the items mentioned above.

Another thing that might be worth noting is that if the UA contains a
HTTP cache (which most popular UAs do), the UA must never use a cached
response that was the result of a request that was made with
credentials, when making a request without. The same goes the other
way around.

I would expect these things to apply to CORS and UMP alike. Including
the definition of user credentials.

/ Jonas

Received on Wednesday, 3 February 2010 09:01:30 UTC