For what it's worth, it's too late to remove the withCredentials flag from Firefox 3.5.
Not putting any demands on the spec though. / Jonas On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren<[email protected]> wrote: > On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <[email protected]> > wrote: >> >> When the withCredentials flag is set to false, does it also issue an >> "Origin: null" header? If not, then -- given the recommended server >> behavior -- this flag isn't doing its job, since an identified origin header >> is still a form of credential. As mentioned earlier, for credential-free >> same origin requests, it would be adequate either to say "Origin: null" or >> to leave the Origin header absent. > > The flag is currently not doing "its job" then. When we designed this > feature we made it only affect HTTP authentication and cookies. > > I think we have some freedom to change some of the details here as long as > the motivation is perfectly clear and agreed upon by those that have already > implemented the draft. > > I sort of like the idea of having a new (named) constructor or maybe have > the constructor take an argument to indicate credentials are supposed to be > omitted. This would also allow us to drop the withCredentials flag. > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > >
