- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 17 Feb 2010 02:33:16 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Wed, Feb 17, 2010 at 12:24 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 16 Feb 2010 19:53:22 +0100, Jonas Sicking <jonas@sicking.cc> wrote: >> >> Hmm.. I have three concerns. >> >> 1. There's a risk of breaking existing content >> 2. I'd fairly strongly prefer to default to *not* sending credentials. > > You get that if you use the new constructor. It's not really default behavior if you have to use a different constructor, is it? ;-) The whole point is to default to the safer mode of operation. Only when taking special steps are the more powerful, but complex, security models used. >> It's better that people by default get a simpler security model, and >> if really needed, opt in to getting a more complex one. I wouldn't >> want people to end up setting up the server to accepting requests with >> credentials because they don't know about credential-less requests, or >> because the back end developer is a stronger developer than the front >> end developer and so the team ends up deciding to make the change >> there. > > I don't really get the latter justification. The back end can always ignore > the credentials. The goal is to minimize risk that people make mistakes. No one is disputing that if everyone writes perfect code there won't be security issues. The problem is that people tend to not write perfect code. That is the whole reason for having credential-less requests. So that you know that if you never opt in to allowing credentials, there is no need to audit the code to ensure that credentials are ignored in the appropriate places. I do sort of like the idea that UMP is the "credential less model". I.e. that we essentially have two modes: UMP, with no user credentials (cookies, auth headers, etc) and no server credentials (origin header), and full on with-credentials (with cookies, origin etc). There are a few problems however: * Need to figure out the syntax to choose between the two modes * UMP doesn't include the referer header (right?). I suspect sites will be sad about this as it is often used for things not related to security. Possibly they'll be sad enough that they'll opt in to credentials just to get the referrer header sent. That defeats the purpose of having credential less requests. * Same-site XHR defaults to with-credentials. But cross-site I strongly want to default to without credentials. This complicates the syntax issue. / Jonas / Jonas
Received on Wednesday, 17 February 2010 10:34:09 UTC