[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest
Anne van Kesteren
annevk at annevk.nl
Tue Mar 19 04:20:33 PDT 2013
On Mon, Mar 18, 2013 at 3:57 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> By not including cookies or other login information you are already
> forcing the capability model since you can't tell the connection from
> one that is server-to-server.
> Including the referrer header, at least by default, seems very useful
> still since there is lots of infrastructure in servers which are using
> those for logging purposes.
I don't disagree, but they wanted to avoid exposing any kind of
originating data so people could not make trust decisions based on
that at all (however silly doing that may be). See
http://www.w3.org/TR/UMP/#request-sending in particular.
I don't really mind what we do here either way.
More information about the whatwg