[whatwg] Fetch: crossorigin="anonymous" and XMLHttpRequest

Anne van Kesteren annevk at annevk.nl
Wed Mar 20 14:31:14 PDT 2013

On Wed, Mar 20, 2013 at 12:54 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Tue, Mar 19, 2013 at 8:08 PM, Anne van Kesteren <annevk at annevk.nl> wrote:
>> Not if the referring URL was a capability, which I think might have
>> been the point.
> I don't understand what that means. Could you explain?

If you do an XMLHttpRequest from a document hosted at
/superlonghashkeythatactsasauthenticationtoken you probably do not
want to expose the Referer header. Now 1) this document should be
hosted over https so this is less likely to be a concern given actual
implementations of Referer over https and b) for same-origin requests
this matters less (if at all), it still seems better if anonymous is

> That said, allowing both anonymous and non-anonymous requests to do
> xhr.setRequestHeader("referer", "") might be a good idea. I.e. being
> able to set it explicitly to the empty string.


Does anonymous also mean not handling 401 by prompting the user? What about 407?


More information about the whatwg mailing list