Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I tried to address both by pointing to UMP which wants both a) and b).
>> The alternative would be to use <iframe sandbox=allow-scripts> which
>> exhibits the same behavior given the unique origin (that also blocks
>> Referer). I believe at least Maciej expressed interest in supporting
>> the UMP use case.
>
> But *why* does UMP want this behavior? What's the use case?

I think they do not want to expose any kind of identifying information
in the request to sort of force the capability model.


> In the Firefox implementation { anon:true } does for all requests what
> withCredentials=false does for cross-origin requests.

I see. Is it called anon already or still mozAnon? There's an
outstanding request to rename it to anonymous as most other terms are
spelled out.


-- 
http://annevankesteren.nl/

Received on Monday, 18 March 2013 12:43:33 UTC