9017 – The origin argument should be used to determine whether Referer is to be omitted for XMLHttpRequest. I'm not a 100% sure at the moment when that would matter, but it seems safer.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 9017 - The origin argument should be used to determine whether Referer is to be omitted for XMLHttpRequest. I'm not a 100% sure at the moment when that would matter, but it seems safer.

Summary: The origin argument should be used to determine whether Referer is to be omit...

Status:	CLOSED WONTFIX

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	LC
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-16 10:02 UTC by contributor
Modified:	2018-10-29 06:12 UTC (History)
CC List:	6 users (show)

See Also:

Attachments

Description contributor 2010-02-16 10:02:41 UTC

Section: http://www.whatwg.org/specs/web-apps/current-work/#fetch

Comment:
The origin argument should be used to determine whether Referer is to be
omitted for XMLHttpRequest. I'm not a 100% sure at the moment when that would
matter, but it seems safer.

Posted from: 213.236.208.22

Comment 1 Ian 'Hixie' Hickson 2010-02-23 01:54:23 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: It's not safer, it's wrong. :-) The 'origin' parameter is only used for deciding if there should be an Origin header, as part of the origin privacy stuff.

Comment 2 Anne 2010-02-23 11:16:54 UTC

It is also used for its value. Having said, I think this will work out fine. I cannot imagine a situation where you can get an XMLHttpRequest constructor object of which the XMLHttpRequest origin is a unique identifier but Referer would still be a useful value.