On Wed, 17 Feb 2010 11:33:16 +0100, Jonas Sicking <[email protected]> wrote:
I do sort of like the idea that UMP is the "credential less model".
I.e. that we essentially have two modes: UMP, with no user credentials
(cookies, auth headers, etc) and no server credentials (origin
header), and full on with-credentials (with cookies, origin etc).
Right, this is what I am proposing with UMP being new XMLHttpRequest(true).
There are a few problems however:
* Need to figure out the syntax to choose between the two modes
* UMP doesn't include the referer header (right?). I suspect sites
will be sad about this as it is often used for things not related to
security. Possibly they'll be sad enough that they'll opt in to
credentials just to get the referrer header sent. That defeats the
purpose of having credential less requests.
Sending the Referer header would defeat the purpose of origin being a
globally unique identifier.
* Same-site XHR defaults to with-credentials. But cross-site I
strongly want to default to without credentials. This complicates the
syntax issue.
Well, we'd have to give that up, basically.
Having said that, I guess we're stuck with withCredentials, however sad. I
have made the change that open() raises an INVALID_ACCESS_ERR if you
provide either username or password for a cross-origin request. That seems
relatively safe and better than simply ignoring the arguments.
--
Anne van Kesteren
http://annevankesteren.nl/
