Re: Re: Re: [XHR] anonymous flag from Hallvord Reiar Michaelsen Steen on 2013-05-23 (public-webapps@w3.org from April to June 2013)

From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Date: Thu, 23 May 2013 10:55:41 +0200
To: annevk@annevk.nl, "Julian Aubourg" <j@ubourg.net>, "Jungkee Song" <jungkees@gmail.com>, john@jkemp.net, nathan@webr3.org, art.barstow@nokia.com, dev.akhawe@gmail.com, ian@hixie.ch, jackalmage@gmail.com, w3c@adambarth.com, ojan@chromium.org, "Dirk Pranke" <dpranke@chromium.org>, mjs@apple.com, tyler.close@gmail.com, "Jonas Sicking" <jonas@sicking.cc>, public-webapps <public-webapps@w3.org>, "Charles McCathie Nevile" <chaals@yandex-team.ru>, "Mark S. Miller" <erights@google.com>, ๏̯͡๏ Jasvir Nagra <jasvir@google.com>
Message-ID: <6fad42792ebfef4bff214493e12f8450@opera.com>

[Minor edit: fixed your true/false typo]
 
> * If we had a better way of controlling the option to deny sending credentials
> in a way that kept compatibility with legacy webpages (eg. a tristate flag like
> you suggest in [6]), I agree it would be better than to have two different flags
> which may be confusing to developers and which may disagree with each other. 

I agree (naturally) - now, just to be very clear: your needs are met if the API lets you control *credentials* - right? Does Caja currently attempt to suppress Referer: and/or Origin: headers? Do you consider it a requirement to be able to do so?

> * In Google AppScript and on Google Sites, we execute a code on the same domain
> sandboxed using Caja.  In this case, Caja  relies on withCredentials defaulting to
> false and prevents sandboxed guest code from setting it to true.  In this way,
> we're able to work around the difficulties posed by the API that you point out.
> We are nevertheless forced to either proxy or deny requests to the same origin since
> the CORS anon flag appears not be reliably supported on all browsers (and 
> withCredentials does not apply to same-origin).  


It sounds like making withCredentials a tri-state thing (i.e. with values 'samedomain', 'always', 'never') would work better for you :) - depending of course on how you respond to the above question, that is..

-- 
Hallvord R. M. Steen
Core tester, Opera Software

Received on Thursday, 23 May 2013 08:56:43 UTC