- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 03 Feb 2010 01:41:58 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Tyler Close <tyler.close@gmail.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
I raised ISSUE-114 <http://www.w3.org/2008/webapps/track/issues/114> so this issue does not get lost. On Feb 3, 2010, at 1:00 AM, Jonas Sicking wrote: > > First off, note that we are talking about *user* credentials here. > This is why Origin is not included. Origin is a website credential, > not a user credential. CORS always include the website credentials in > the form of Origin header and referrer. Right, I'm saying *site* credentials (such as Origin and Referer) do not need to be stripped. Just user credentials. > In addition to the list you mention, firefox never shares http > keep-alive connections between requests with credentials and requests > without. This also means that a "normal" request from for example a > <img> or <iframe> will never share keep-alive connection with a > credential-less CORS request. > > We do this because some protocols, notably NTLM, authenticate the > keep-alive connection, not the individual requests, IIRC. We do this too but only for protocols that authenticate per-connection. > > The general rule of thumb is that anything the UA adds to the request > that the website can use to uniquely identify the request as coming > from the users browser is a user credential. So while the UA string in > combination with IP number can be used to make a reasonably strong > guess as to the identity of the user, it's not strong enough to > actually identify the user, thus it does not count as user > credentials. But I definitely agree that we should have a normative > list which includes the items mentioned above. Agree. > > Another thing that might be worth noting is that if the UA contains a > HTTP cache (which most popular UAs do), the UA must never use a cached > response that was the result of a request that was made with > credentials, when making a request without. The same goes the other > way around. > > I would expect these things to apply to CORS and UMP alike. Including > the definition of user credentials. UMP should indeed omit the same user credentials, in addition to omitting a defined set of site credentials. Regards, Maciej
Received on Wednesday, 3 February 2010 09:42:33 UTC