Re: [XHR2] new XMLHttpRequest(anon)

On Wed, 17 Feb 2010 11:33:16 +0100, Jonas Sicking <> wrote:
> I do sort of like the idea that UMP is the "credential less model".
> I.e. that we essentially have two modes: UMP, with no user credentials
> (cookies, auth headers, etc) and no server credentials (origin
> header), and full on with-credentials (with cookies, origin etc).

Right, this is what I am proposing with UMP being new XMLHttpRequest(true).

> There are a few problems however:
> * Need to figure out the syntax to choose between the two modes
> * UMP doesn't include the referer header (right?). I suspect sites
> will be sad about this as it is often used for things not related to
> security. Possibly they'll be sad enough that they'll opt in to
> credentials just to get the referrer header sent. That defeats the
> purpose of having credential less requests.

Sending the Referer header would defeat the purpose of origin being a  
globally unique identifier.

> * Same-site XHR defaults to with-credentials. But cross-site I
> strongly want to default to without credentials. This complicates the
> syntax issue.

Well, we'd have to give that up, basically.

Having said that, I guess we're stuck with withCredentials, however sad. I  
have made the change that open() raises an INVALID_ACCESS_ERR if you  
provide either username or password for a cross-origin request. That seems  
relatively safe and better than simply ignoring the arguments.

Anne van Kesteren

Received on Wednesday, 17 February 2010 10:39:58 UTC