[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

[Jonas Sicking]

On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
> On Sun, Mar 17, 2013 at 1:10 AM, Jonas Sicking <jonas at sicking.cc> wrote:
>> On Mon, Mar 11, 2013 at 4:31 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>>> Preceded the specification? I doubt that. When was it added? The
>>> specification was done start of 2010 somewhere based on the
>>> requirements coming from UMP:
>>> http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0340.html
>>
>> I see that my attempt at focusing on the important issues failed.
>> Would you like to debate whether the new syntax constitutes a new
>> feature or would you like to debate the technical issues of whether we
>> want the a) and b) behavior?
>
> I tried to address both by pointing to UMP which wants both a) and b).
> The alternative would be to use <iframe sandbox=allow-scripts> which
> exhibits the same behavior given the unique origin (that also blocks
> Referer). I believe at least Maciej expressed interest in supporting
> the UMP use case.

But *why* does UMP want this behavior? What's the use case?

I think there is value in indicating which webpage is making the
request. The problem that I understood UMP wanting to solve was the
confused deputy problem where it looked like the user was making the
request rather than the webpage.

> If anon:true means no more than withCredentials=false we should call
> it withCredentials instead as EventSource does at the moment. Although
> given XMLHttpRequest already has withCredentials there would be
> nothing new in that addition and generally we've refrained from adding
> such duplicate features.

In the Firefox implementation { anon:true } does for all requests what
withCredentials=false does for cross-origin requests.

/ Jonas