W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2014

Re: [imports] credentials flag bits need to be updated to current fetch terminology

From: Hajime Morrita <morrita@google.com>
Date: Mon, 28 Jul 2014 15:21:51 -0700
Message-ID: <CALzNm5r0Xj5WMe9TsKjZx62G2kWzjJpr_UzXeMFGkXvDPYcd+w@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps <public-webapps@w3.org>
I encountered a pre-release site that uses credentials to protect it from
Imports in that site failed to load because the UA didn't send credentials.
The current behavior solved this problem.

There are a couple of options that I didn't take:

- Always send credentials: We clearly shouldn't do this as the same reason
why XHR doesn't this.

- Introduce @crossorigin attribute: This seemed plausible, but I worried
that this can be just redundant and hurts brevity
  if the credential-protected sites are the mainstream.
  Once a popular FAQ site recommends to put it all the time, that would
become bad news.

Then send-only-same-origin looked promising way to go.
I think following XHR behavior makes sense because it is well understood as
it's been there for a long time and both imports and XHR load documents.
I'm not super confident about this though.

On Sun, Jul 27, 2014 at 4:18 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita <morrita@google.com>
> wrote:
> > It behaved like that before. I changed it to current one so that it works
> > with credential-protected in-house or staged apps.
> You'll need to elaborate a bit, I'm not sure I understand. In any
> event, I think XMLHttpRequest's default behavior of only sending
> credentials same-origin is somewhat confusing. If we only offer one
> mode for rel=import we should either always include credentials (and
> thus require more complicated CORS headers) or never.

> --
> http://annevankesteren.nl/

Received on Monday, 28 July 2014 22:22:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:26 UTC