Re: [XHR] anonymous flag

On Fri, May 17, 2013 at 11:24 AM, Charles McCathie Nevile
<> wrote:
> With respect to your use case for keeping anonymous I agree with Hallvord. I
> cannot think of a real use case for a browser-like thing that accepts
> arbitrary URLs. Could you please provide some more explanation of the real
> scenarios for this use case?

We have been over this many times in the discussions over CORS and
UMP, including whether or not we care about confused deputy attacks
and ambient authority. At the time we decided we did which is why we
offered this feature.

In addition, there's been requests to have more control over whether
cookies are transmitted (as they take up space) and as to whether the
Referer header is included in requests (not the same as setting its
value to null, which is not what setRequestHeader() can be used for
anyway, as it's for additional headers, not controlling existing
ones). See e.g. for a
feature that seems to be getting some traction. Whether these should
be combined or not is unclear to me (UMP needs both).

I don't really feel it's responsible to remove this feature at this
point without anyone involved in the original discussion speaking up.
But then since it's not implemented maybe we can ignore that. :/


Received on Friday, 17 May 2013 10:36:45 UTC