About same-origin limitation on XMLHttpRequest

Question

I think there is something I don't understand about same origin limitation for XMLHttpRequest.

Instead of forbidding Javascript code to send http request to different hosts (something that is really annoying for legitimate uses) wouldn't have been better to just allow the request but not sending or accepting cookies in that case?

Forbidding a specific script to get something that literally everyone else in the internet can get seems to me at a first sight a quite weird choice...

What am I missing?

Mike Samuel · Accepted Answer

Instead of forbidding Javascript code to send http request to different hosts (something that is really annoying for legitimate uses) wouldn't have been better to just allow the request but not sending or accepting cookies in that case?

That is what Cross-Origin Resource Sharing (CORS) specifies.

Care must always be taken by applications when making cross-origin requests with user credentials, and servers processing such requests must take care in the use of credentials, including the Origin header.

When requests have significance other than retrieval, and when relying on the Origin header as a credential, servers must be careful to distinguish between authorizing a request and authorizing access to the representation of that resource in the response.

...

omit credentials flag

Set when user credentials are to be excluded in the request and when cookies are to be ignored in its response.

Forbidding a specific script to get something that literally everyone else in the internet can get seems to me at a first sight a quite weird choice...

What am I missing?

It took web-standards bodies a while to realize that people would want to write serious JavaScript heavy applications. Gmail changed all that but standards bodies like the W3C take a while to fill functionality holes.

About same-origin limitation on XMLHttpRequest

Answers (2)

omit credentials flag

Related Questions