On Mon, Jun 8, 2009 at 5:25 PM, Jonas Sicking <[email protected]> wrote:
> On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close<[email protected]> wrote: > > > > Right, there is also a need for same origin requests without > > credentials. For example, an advertisement on a social networking site > > could be able to send requests to the social networking site, just not > > under the user's credentials. > > > > I believe something like the following would satisfy the feature request: > > > > constructor: XMLHttpRequest() > > credentials: by default only back to same origin > > > > constructor: GuestXMLHttpRequest() > > credentials: no user credentials to any origin, including the same origin > > But if there's a third-party script, say from a advertisement, running > in your page, what's to prevent that script from instantiating an > object that does send credentials? > This use-case was the motivation for ADsafe, though any of the JavaScript sanitizers would do. Without some such sanitization technology, it remains unsafe to load untrusted ads directly on your page. Adam and I are still arguing fine points of just how unsafe, but there's no question that the answer is at least "too unsafe". With GuestXMLHttpRequest, such sanitized ads could be allowed to call home safely without being able to impersonate their containing page's origin. -- Cheers, --MarkM
