On Jun 19, 2008, at 2:36 PM, Jon Ferraiolo wrote:
>
> Maciej Stachowiak wrote:
> >
> >
> > On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote:
...snip...
>
> > I mean, I guess
> > it's possible people will do this, but people could add
> > "Access-Control-Allow-Credentials" site-wide too. And if we add
> > "Access-Control-Allow-Credentials-I-Really-Mean-It", they'll add
even more.
>
> Yes, this is certainly a possibility. But my hope is that this will
> happen to a smaller extent.
>
I share the hope "smaller extent" hope with Jonas, and his latest
proposals look good to me.
My assumption is that 99% of all cross-site XHR usage will not
require credentials/cookies. Therefore, what makes sense is a simple
way that server developers can opt-in to credential-free cross-site
XHR which tells the browser to allow cross-site credential-free XHR
to their site. Then, in an advanced section of the AC spec, talk
about how some workflows might want credentials to be sent, and here
is the extra header to enable credentials (Access-Control-Allow-
Credentials), but this section of the spec should include SHOUTING
TEXT about potential dangers and instruct the developer that he
should not enable transmission of credentials unless he is sure that
he needs it and he is sure that he knows what he is doing (such as
understanding what a CSRF attack is). I realize that some developers
won't read the spec carefully or notice the shouting text, but I
expect most tutorials and examples on the Web will follow the lead
from the spec and help to teach people steer clear of the Access-
Control-Allow-Credentials header unless they know what they are doing.
Web developers don't read specs, they cut & paste. I think my
alternate proposal of using different header names (also suggested in
Microsoft's whitepaper) is actually safer against accidentally
enabling cookies, since a cut & paste error is unlikely to make you
process cookies that come under a different header name.
I am not sure you are right that 99% of uses for cross-site XHR won't
require credentials. Any such uses can be handled now on the server
side. Cross-site data mixing with credentials done in a secure way is
one of the biggest true new capabilities that would be offered.
Regards,
Maciej