Re: [XHR2] AnonXMLHttpRequest() from Maciej Stachowiak on 2010-02-03 (public-webapps@w3.org from January to March 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 03 Feb 2010 01:41:58 -0800
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-id: <63E7AB88-F318-42B6-94C1-192ECB6CAE47@apple.com>

I raised ISSUE-114 <http://www.w3.org/2008/webapps/track/issues/114> so this issue does not get lost.

On Feb 3, 2010, at 1:00 AM, Jonas Sicking wrote:

> 
> First off, note that we are talking about *user* credentials here.
> This is why Origin is not included. Origin is a website credential,
> not a user credential. CORS always include the website credentials in
> the form of Origin header and referrer.

Right, I'm saying *site* credentials (such as Origin and Referer) do not need to be stripped. Just user credentials.

> In addition to the list you mention, firefox never shares http
> keep-alive connections between requests with credentials and requests
> without. This also means that a "normal" request from for example a
> <img> or <iframe> will never share keep-alive connection with a
> credential-less CORS request.
> 
> We do this because some protocols, notably NTLM, authenticate the
> keep-alive connection, not the individual requests, IIRC.

We do this too but only for protocols that authenticate per-connection.

> 
> The general rule of thumb is that anything the UA adds to the request
> that the website can use to uniquely identify the request as coming
> from the users browser is a user credential. So while the UA string in
> combination with IP number can be used to make a reasonably strong
> guess as to the identity of the user, it's not strong enough to
> actually identify the user, thus it does not count as user
> credentials. But I definitely agree that we should have a normative
> list which includes the items mentioned above.

Agree.

> 
> Another thing that might be worth noting is that if the UA contains a
> HTTP cache (which most popular UAs do), the UA must never use a cached
> response that was the result of a request that was made with
> credentials, when making a request without. The same goes the other
> way around.
> 
> I would expect these things to apply to CORS and UMP alike. Including
> the definition of user credentials.

UMP should indeed omit the same user credentials, in addition to omitting a defined set of site credentials.

Regards,
Maciej

Received on Wednesday, 3 February 2010 09:42:33 UTC