- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 20 Mar 2013 17:31:14 -0400
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: WHATWG <whatwg@whatwg.org>
On Wed, Mar 20, 2013 at 12:54 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Tue, Mar 19, 2013 at 8:08 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> Not if the referring URL was a capability, which I think might have
>> been the point.
>
> I don't understand what that means. Could you explain?
If you do an XMLHttpRequest from a document hosted at
/superlonghashkeythatactsasauthenticationtoken you probably do not
want to expose the Referer header. Now 1) this document should be
hosted over https so this is less likely to be a concern given actual
implementations of Referer over https and b) for same-origin requests
this matters less (if at all), it still seems better if anonymous is
anonymous.
> That said, allowing both anonymous and non-anonymous requests to do
> xhr.setRequestHeader("referer", "") might be a good idea. I.e. being
> able to set it explicitly to the empty string.
Okay.
Does anonymous also mean not handling 401 by prompting the user? What about 407?
--
http://annevankesteren.nl/
Received on Wednesday, 20 March 2013 21:31:39 UTC