W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Thu, 21 Mar 2013 00:41:14 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <20130321004114.61c1cbe3@desudesudesu>
Cc: WHATWG <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
Anne van Kesteren <annevk@annevk.nl> schrieb am Wed, 20 Mar 2013
17:31:14 -0400:

> If you do an XMLHttpRequest from a document hosted at
> /superlonghashkeythatactsasauthenticationtoken you probably do not
> want to expose the Referer header.

A GET request should be idempotent, so what would be the problem? If
subsequent access changes the state of the resource, that seems broken.

> Now 1) this document should be
> hosted over https so this is less likely to be a concern given actual
> implementations of Referer over https and b) for same-origin requests
> this matters less (if at all), it still seems better if anonymous is
> anonymous.

I'd suggest using HMACs instead of hashes for signed action URLs. Right?

Nils Dagsson Moskopp // erlehmann
Received on Wednesday, 20 March 2013 23:41:56 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:56 UTC