W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] new XMLHttpRequest(anon)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 17 Feb 2010 11:39:26 +0100
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.u79o70i564w2qv@annevk-t60>
On Wed, 17 Feb 2010 11:33:16 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
> I do sort of like the idea that UMP is the "credential less model".
> I.e. that we essentially have two modes: UMP, with no user credentials
> (cookies, auth headers, etc) and no server credentials (origin
> header), and full on with-credentials (with cookies, origin etc).

Right, this is what I am proposing with UMP being new XMLHttpRequest(true).

> There are a few problems however:
> * Need to figure out the syntax to choose between the two modes
> * UMP doesn't include the referer header (right?). I suspect sites
> will be sad about this as it is often used for things not related to
> security. Possibly they'll be sad enough that they'll opt in to
> credentials just to get the referrer header sent. That defeats the
> purpose of having credential less requests.

Sending the Referer header would defeat the purpose of origin being a  
globally unique identifier.

> * Same-site XHR defaults to with-credentials. But cross-site I
> strongly want to default to without credentials. This complicates the
> syntax issue.

Well, we'd have to give that up, basically.

Having said that, I guess we're stuck with withCredentials, however sad. I  
have made the change that open() raises an INVALID_ACCESS_ERR if you  
provide either username or password for a cross-origin request. That seems  
relatively safe and better than simply ignoring the arguments.

Anne van Kesteren
Received on Wednesday, 17 February 2010 10:39:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:05 UTC