Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?

I would like to change and simplify the XMLHttpRequest spec (while it's still possible, AFAIK this part isn't widely implemented yet) BUT I want as much input as possible to ensure it's not insane to change it.

The question I'm pondering is regarding the anonymous mode in the current spec. Specifically:

  • Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?
  • If we do not allow this, do we cause security issues for sites or services that would otherwise be safe? The UMP spec says it helps prevent XSRF attacks to let developers opt-into sending requests without these headers, but I'm not quite convinced by this claim. Nevertheless, because it has been "sold" as a security feature it's a bit scary to remove.

If you have opinions on the questions I asked on public-webapps, please opine. There is more background in my post, the posts linked from there, and the rest of the thread.

Thanks in advance!

Advertisements

3 thoughts on “Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?

  1. I've never been really into security things – in perfect world I wouldn't send the headers in any case making the communication a bit faster :)Anyway, as that is not going to happen I will just say that I don't think the "turn withCredentials into a sort of tri-state flag" is a good idea. How would one set the flag back to not-set state? xhr.withCredentials=undefined? If so, then if anyone would need to test the state they would have to remember that !xhr.withCredentials return true for both false and undefined etc… The "sendCredentials" property is imo much better idea. Yes, it would make a little mess for a while, but I don't think the anon/credentials flags are used that much yet anyway.

  2. Good points. I'm planning to suggest (for real this time) turning withCredentials into an enum – "samedomain", "always" and "never" – and just map true and false to 'always' and 'samedomain' for back compat.

  3. As someone who uses Opera as a main browser and always with "Send referrer information" disabled it is my opinion that it should not matter where I came from, only that I got there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s