[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

Anne van Kesteren annevk at annevk.nl
Mon Mar 18 05:43:04 PDT 2013

On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>> I tried to address both by pointing to UMP which wants both a) and b).
>> The alternative would be to use <iframe sandbox=allow-scripts> which
>> exhibits the same behavior given the unique origin (that also blocks
>> Referer). I believe at least Maciej expressed interest in supporting
>> the UMP use case.
> But *why* does UMP want this behavior? What's the use case?

I think they do not want to expose any kind of identifying information
in the request to sort of force the capability model.

> In the Firefox implementation { anon:true } does for all requests what
> withCredentials=false does for cross-origin requests.

I see. Is it called anon already or still mozAnon? There's an
outstanding request to rename it to anonymous as most other terms are
spelled out.


More information about the whatwg mailing list