On Tue, May 14, 2013 at 11:46 AM, Hallvord Reiar Michaelsen Steen <hallv...@opera.com> wrote: > Say, for example, OpenID is a setup where the user might provide an > "untrusted" URL to a third-party web site ("Here's the service that can > authenticate me"), and XHR might be involved - but the Open ID *provider* > would of course want to know what site it is interacting with, to present > some information about what authenticating means to the user..
Why? That information could be in the resource. Or if you e.g. implement your own browser-like thing that accepts arbitrary URLs you would want something similar. You might also want to do same-origin requests that do not include the overhead of Cookie / Origin / Referrer headers. HTML already has rel=noreferrer for that. We should expose functionality like that in the low-level API. -- http://annevankesteren.nl/