Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?
Monday, May 27, 2013 10:32:51 AM
The question I'm pondering is regarding the anonymous mode in the current spec. Specifically:
- Should JS be able to send XMLHttpRequest without Origin: and Referer: headers?
- If we do not allow this, do we cause security issues for sites or services that would otherwise be safe? The UMP spec says it helps prevent XSRF attacks to let developers opt-into sending requests without these headers, but I'm not quite convinced by this claim. Nevertheless, because it has been "sold" as a security feature it's a bit scary to remove.
If you have opinions on the questions I asked on public-webapps, please opine. There is more background in my post, the posts linked from there, and the rest of the thread.
Thanks in advance!