[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

Anne van Kesteren annevk at annevk.nl
Sun Mar 17 02:16:03 PDT 2013

On Sun, Mar 17, 2013 at 1:10 AM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Mon, Mar 11, 2013 at 4:31 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>> Preceded the specification? I doubt that. When was it added? The
>> specification was done start of 2010 somewhere based on the
>> requirements coming from UMP:
>> http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0340.html
> I see that my attempt at focusing on the important issues failed.
> Would you like to debate whether the new syntax constitutes a new
> feature or would you like to debate the technical issues of whether we
> want the a) and b) behavior?

I tried to address both by pointing to UMP which wants both a) and b).
The alternative would be to use <iframe sandbox=allow-scripts> which
exhibits the same behavior given the unique origin (that also blocks
Referer). I believe at least Maciej expressed interest in supporting
the UMP use case.

If anon:true means no more than withCredentials=false we should call
it withCredentials instead as EventSource does at the moment. Although
given XMLHttpRequest already has withCredentials there would be
nothing new in that addition and generally we've refrained from adding
such duplicate features.


More information about the whatwg mailing list