Re: [cors] Allow-Credentials vs Allow-Origin: * on image elements? from Devdatta Akhawe on 2010-07-08 (public-webapps@w3.org from July to September 2010)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 7 Jul 2010 17:05:41 -0700
To: Charlie Reis <creis@chromium.org>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
Message-ID: <AANLkTinI1m1AaRc3_Y_YFaH3byvEoDE5qse-hENPIJKV@mail.gmail.com>

hmm, I think I quoted the wrong part of your email. I wanted to ask
why would it be undesirable to make CORS GET requests cookie-less. It
seems the argument here is reduction of implementation work. Is this
the only one? Note that even AnonXmlHttpRequest intends to make GET
requests cookie-less.

Regards
devdatta


>
> I meant "undesirable" in that it will require much deeper changes to
> browsers.
> I wouldn't mind making it possible to request an image or other subresource
> without cookies, but I don't think there's currently a mechanism for that,
> is there?  And if there's consensus that user agents shouldn't send cookies
> at all on third party subresources, I'm ok with that, but I imagine there
> would be pushback on that sort of proposal-- it would likely affect
> compatibility with existing web sites.  I haven't gathered any data on it,
> though.
> The benefit to allowing * with credentials is that it lets CORS work with
> the existing browser request logic for images and other subresources, where
> cookies are currently sent with the request.
> Charlie
>
>>
>> On 7 July 2010 16:11, Charlie Reis <creis@chromium.org> wrote:
>> >
>> >
>> > On Wed, Jul 7, 2010 at 4:04 PM, Mark S. Miller <erights@google.com>
>> > wrote:
>> >>
>> >> On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis <creis@chromium.org>
>> >> wrote:
>> >> [...]
>> >>>
>> >>> That's unfortunate-- at least for now, that prevents servers from
>> >>> echoing
>> >>> the origin in the Access-Control-Allow-Origin header, so servers
>> >>> cannot host
>> >>> "public" images that don't taint canvases.  The same problem likely
>> >>> exists
>> >>> for other types of requests that might adopt CORS, like fonts, etc.
>> >>
>> >> Why would public images or fonts need credentials?
>> >
>> > Because it's undesirable to prevent the browser from sending cookies on
>> > an
>> > <img> request, and the user might have cookies for the image's site.
>> >  It's
>> > typical for the browser to send cookies on such requests, and those are
>> > considered a type of credentials by CORS.
>> > Charlie
>> >
>> >>
>> >>
>> >>>>
>> >>>> I believe the plan is to change HTML5 once CORS is somewhat more
>> >>>> stable
>> >>>> and use it for various pieces of infrastructure there. At that point
>> >>>> we can
>> >>>> change <img> to transmit an Origin header with an origin. We could
>> >>>> also
>> >>>> decide to change CORS and allow the combination of * and the
>> >>>> credentials
>> >>>> flag being true. I think * is not too different from echoing back the
>> >>>> value
>> >>>> of a header.
>> >>>>
>> >>>
>> >>> I would second the proposal to allow * with credentials.  It seems
>> >>> roughly equivalent to echoing back the Origin header, and it would
>> >>> allow
>> >>> CORS to work on images and other types of requests without changes to
>> >>> HTML5.
>> >>> Thanks,
>> >>> Charlie
>> >>
>> >>
>> >>
>> >> --
>> >>     Cheers,
>> >>     --MarkM
>> >
>> >
>
>

Received on Thursday, 8 July 2010 00:06:43 UTC