On Sun, Mar 17, 2013 at 5:25 PM, Jonas Sicking <jo...@sicking.cc> wrote: > On Sun, Mar 17, 2013 at 2:16 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> I tried to address both by pointing to UMP which wants both a) and b). >> The alternative would be to use <iframe sandbox=allow-scripts> which >> exhibits the same behavior given the unique origin (that also blocks >> Referer). I believe at least Maciej expressed interest in supporting >> the UMP use case. > > But *why* does UMP want this behavior? What's the use case?
I think they do not want to expose any kind of identifying information in the request to sort of force the capability model. > In the Firefox implementation { anon:true } does for all requests what > withCredentials=false does for cross-origin requests. I see. Is it called anon already or still mozAnon? There's an outstanding request to rename it to anonymous as most other terms are spelled out. -- http://annevankesteren.nl/