Re: Re: Re: Re: Re: [XHR] anonymous flag

I wrote: 

> I would like to see some real code evidence that omitting Origin:
> and Referer: is necessary too. In theory sites might use them as
> "credentials" as you say, but in practise I don't see how that can
> work and be safe on the web.

> If we ship XHR with an "anonymous" flag removing Origin: and Referer:
> and call it a security feature, wouldn't that *encourage* sites to
> validate requests by Origin: and Referer:? Aren't we basically pushing
> snake oil security measures if we do so?

I hereby propose that we drop the {anonymous:true} constructor argument and the "anonymous flag", and instead modify withCredentials to take three values: "samedomain" (default), "always" and "never". For backwards compatibility with earlier versions of the spec, setting withCredentials=true maps to "always" and withCredentials=false maps to "samedomain". 

This seems easier to understand, easier to implement, and handles all use cases of practical significance.

Anne: if you want rewrite proposals as pull requests, let me know ;-)

Hallvord R. M. Steen
Core tester, Opera Software

Received on Tuesday, 28 May 2013 14:08:55 UTC