Re: [XHR2] new XMLHttpRequest(anon)

On Wed, Feb 17, 2010 at 12:24 AM, Anne van Kesteren <> wrote:
> On Tue, 16 Feb 2010 19:53:22 +0100, Jonas Sicking <> wrote:
>> Hmm.. I have three concerns.
>> 1. There's a risk of breaking existing content
>> 2. I'd fairly strongly prefer to default to *not* sending credentials.
> You get that if you use the new constructor.

It's not really default behavior if you have to use a different
constructor, is it? ;-)

The whole point is to default to the safer mode of operation. Only
when taking special steps are the more powerful, but complex, security
models used.

>> It's better that people by default get a simpler security model, and
>> if really needed, opt in to getting a more complex one. I wouldn't
>> want people to end up setting up the server to accepting requests with
>> credentials because they don't know about credential-less requests, or
>> because the back end developer is a stronger developer than the front
>> end developer and so the team ends up deciding to make the change
>> there.
> I don't really get the latter justification. The back end can always ignore
> the credentials.

The goal is to minimize risk that people make mistakes. No one is
disputing that if everyone writes perfect code there won't be security
issues. The problem is that people tend to not write perfect code.
That is the whole reason for having credential-less requests. So that
you know that if you never opt in to allowing credentials, there is no
need to audit the code to ensure that credentials are ignored in the
appropriate places.

I do sort of like the idea that UMP is the "credential less model".
I.e. that we essentially have two modes: UMP, with no user credentials
(cookies, auth headers, etc) and no server credentials (origin
header), and full on with-credentials (with cookies, origin etc).

There are a few problems however:
* Need to figure out the syntax to choose between the two modes
* UMP doesn't include the referer header (right?). I suspect sites
will be sad about this as it is often used for things not related to
security. Possibly they'll be sad enough that they'll opt in to
credentials just to get the referrer header sent. That defeats the
purpose of having credential less requests.
* Same-site XHR defaults to with-credentials. But cross-site I
strongly want to default to without credentials. This complicates the
syntax issue.

/ Jonas

/ Jonas

Received on Wednesday, 17 February 2010 10:34:09 UTC