[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest
Anne van Kesteren
annevk at annevk.nl
Mon Mar 18 05:43:04 PDT 2013
On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>> I tried to address both by pointing to UMP which wants both a) and b).
>> The alternative would be to use <iframe sandbox=allow-scripts> which
>> exhibits the same behavior given the unique origin (that also blocks
>> Referer). I believe at least Maciej expressed interest in supporting
>> the UMP use case.
>
> But *why* does UMP want this behavior? What's the use case?
I think they do not want to expose any kind of identifying information
in the request to sort of force the capability model.
> In the Firefox implementation { anon:true } does for all requests what
> withCredentials=false does for cross-origin requests.
I see. Is it called anon already or still mozAnon? There's an
outstanding request to rename it to anonymous as most other terms are
spelled out.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list