- From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
- Date: Mon, 13 May 2013 19:57:50 +0200
- To: "Anne van Kesteren" <annevk@annevk.nl>
- Cc: public-webapps <public-webapps@w3.org>
>>> Yes. It was added to address: http://www.w3.org/TR/UMP/ > We could revisit > http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/thread.html#msg171 > I suppose. Apparently at least Jonas changed his mind since then. I didn't know the UMP spec. Reading it, it seems to me that the fundamental stuff the UMP spec was attempting to do has been fulfilled in CORS (making cross-origin accessibility a feature of the resource rather than a property of the requesting user, yet have some protection against cross-site exploits by making CORS limited by default, opting in to credentials++ using .withCredentials and special HTTP headers.) What the UMP-inspired "anonymous" flag adds on top of what CORS already has seems to be two things: 1) A way to disable sending Origin: and Referer: header in CORS requests. Why? Because we fear that some resource behaves differently depending on Origin/Referer of request AND we want to allow webmasters to hack around that? (Isn't Origin added precisely to make sure the "other" site has reliable information on what site the request comes from? Isn't that by design an important and legitimate factor in whether a resource allows access or not?) 2) A way to send same-origin requests as if they were other-origin requests, ignore cookies and make same-origin resources inavailable unless they respond with the correct CORS headers. Why? A webmaster is worried about XSRF-attacks against own site, yet allows users to supply URLs that will be fetched through XHR? So the solution is to engineer this site (where we're so concerned about XSRF attacks) with CORS headers that makes resources globally accessible?? That seems like a fragile and highly contrived way to do it. I guess UMP attempted to solve two opposite problems (some resources that "want to" be globally accessible are not accessible enough, while some resources are inadvertently usable from other sites from where they are not expected to be used) and the design got a bit muddled as a result. One might want to use CORS ideas to solve the XSRF problem though - having the Origin: header is of course a good mitigating factor that the backend can make use of. Does anyone have real, non-contrived use cases for the anonymous flag? If not, I suggest dropping the "anonymous flag" feature from XHR. -- Hallvord R. M. Steen Core tester, Opera Software
Received on Monday, 13 May 2013 17:57:46 UTC