On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren <[email protected]> wrote:
> > I think we have some freedom to change some of the details here as long as > the motivation is perfectly clear and agreed upon by those that have already > implemented the draft. > > I sort of like the idea of having a new (named) constructor or maybe have > the constructor take an argument to indicate credentials are supposed to be > omitted. This would also allow us to drop the withCredentials flag. > > That's wonderful news. I second Tyler's earlier suggestion: On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close <[email protected]> wrote: > constructor: GuestXMLHttpRequest() > credentials: no user credentials to any origin, including the same origin > where "credentials" includes normal HTTP credentials, cookies, identified Origin headers, and client side certs. (and as Tyler said in earlier email) instance API identical to the API of XMLHttpRequest instances. For concreteness, for the Origin header for these requests, I'll start with the simplest proposal that meets my goals: no Origin header for either same origin requests or cross origin requests. But for both the same origin case and the cross origin case, I am actually indifferent between no Origin header and an "Origin: null" header. If there's a reason for the "Origin: null" header, I'm happy with that. -- Cheers, --MarkM
