On Mon, Jun 8, 2009 at 2:33 PM, Tyler Close<tyler.cl...@gmail.com> wrote: > On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren<ann...@opera.com> wrote: >> On Mon, 08 Jun 2009 23:13:29 +0200, Anne van Kesteren <ann...@opera.com> >> wrote: >>> On Mon, 08 Jun 2009 19:24:03 +0200, Tyler Close <tyler.cl...@gmail.com> >>> wrote: >>>> For CORS <http://www.w3.org/TR/access-control/>, and other parts of >>>> web-apps, I think the above agreement is the important take-away from >>>> this discussion. For sites with advertising, or other third-party >>>> widgets, it would be nice to have a way for code to issue network >>>> requests without impersonating the hosting page's Origin. >>> >>> We already have a feature to do a request without credentials. Set the >>> withCredentials flag to false. (If you meant something else that was not >>> clear from the context, at least to me.) >> >> Though saying that I realize this is currently a strictly cross-origin >> feature. I >> suppose we can change that but having the defaults be different is >> somewhat awkward. > > Right, there is also a need for same origin requests without > credentials. For example, an advertisement on a social networking site > could be able to send requests to the social networking site, just not > under the user's credentials. > > I believe something like the following would satisfy the feature request: > > constructor: XMLHttpRequest() > credentials: by default only back to same origin > > constructor: GuestXMLHttpRequest() > credentials: no user credentials to any origin, including the same origin
But if there's a third-party script, say from a advertisement, running in your page, what's to prevent that script from instantiating an object that does send credentials? / Jonas