- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 17 May 2013 11:36:19 +0100
- To: Charles McCathie Nevile <chaals@yandex-team.ru>
- Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jonas Sicking <jonas@sicking.cc>, public-webapps <public-webapps@w3.org>
On Fri, May 17, 2013 at 11:24 AM, Charles McCathie Nevile <chaals@yandex-team.ru> wrote: > With respect to your use case for keeping anonymous I agree with Hallvord. I > cannot think of a real use case for a browser-like thing that accepts > arbitrary URLs. Could you please provide some more explanation of the real > scenarios for this use case? We have been over this many times in the discussions over CORS and UMP, including whether or not we care about confused deputy attacks and ambient authority. At the time we decided we did which is why we offered this feature. In addition, there's been requests to have more control over whether cookies are transmitted (as they take up space) and as to whether the Referer header is included in requests (not the same as setting its value to null, which is not what setRequestHeader() can be used for anyway, as it's for additional headers, not controlling existing ones). See e.g. http://wiki.whatwg.org/wiki/Meta_referrer for a feature that seems to be getting some traction. Whether these should be combined or not is unclear to me (UMP needs both). I don't really feel it's responsible to remove this feature at this point without anyone involved in the original discussion speaking up. But then since it's not implemented maybe we can ignore that. :/ -- http://annevankesteren.nl/
Received on Friday, 17 May 2013 10:36:45 UTC