I would like to change and simplify the XMLHttpRequest spec (while it's still possible, AFAIK this part isn't widely implemented yet) BUT I want as much input as possible to ensure it's not insane to change it.
The question I'm pondering is regarding the anonymous mode in the current spec. Specifically:
- Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?
- If we do not allow this, do we cause security issues for sites or services that would otherwise be safe? The UMP spec says it helps prevent XSRF attacks to let developers opt-into sending requests without these headers, but I'm not quite convinced by this claim. Nevertheless, because it has been "sold" as a security feature it's a bit scary to remove.
If you have opinions on the questions I asked on public-webapps, please opine. There is more background in my post, the posts linked from there, and the rest of the thread.
Thanks in advance!