[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

Jonas Sicking jonas at sicking.cc
Mon Mar 18 12:57:22 PDT 2013


On Mon, Mar 18, 2013 at 5:43 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
> On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>> On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>>> I tried to address both by pointing to UMP which wants both a) and b).
>>> The alternative would be to use <iframe sandbox=allow-scripts> which
>>> exhibits the same behavior given the unique origin (that also blocks
>>> Referer). I believe at least Maciej expressed interest in supporting
>>> the UMP use case.
>>
>> But *why* does UMP want this behavior? What's the use case?
>
> I think they do not want to expose any kind of identifying information
> in the request to sort of force the capability model.

By not including cookies or other login information you are already
forcing the capability model since you can't tell the connection from
one that is server-to-server.

Including the referrer header, at least by default, seems very useful
still since there is lots of infrastructure in servers which are using
those for logging purposes.

>> In the Firefox implementation { anon:true } does for all requests what
>> withCredentials=false does for cross-origin requests.
>
> I see. Is it called anon already or still mozAnon? There's an
> outstanding request to rename it to anonymous as most other terms are
> spelled out.

I don't know what we're currently using off the top of my head.

/ Jonas



More information about the whatwg mailing list