New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Available
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Sign in to add a comment

Issue 602925: Measure how many pages are using cross-origin XHR with credentials

Reported by, Apr 13 2016 Project Member

Issue description

To provide data points to the discussion at about XHR spec, we'd like to gather a metric how many pages are using cross-origin XHR with withCredentials set to true.

This UMA item doesn't need to live for long time. Once data is obtained, remove.

Comment 1 by, Apr 13 2016

Components: Blink>Network>XHR

Comment 2 by, Apr 13 2016

We can calculate the ratio by comparing the value for the new counter against sum of 
XMLHttpRequestAsynchronous and XMLHttpRequestSynchronous.

Comment 3 by, Apr 14 2016

@tyoshino, do we have any way of determining, for a given request, whether the withCredentials flag NEEDED to be set? IOW, can we see whether the request ACTUALLY passed any credential-related information and/or whether the response included Access-Control-Allow-Credentials: true?

It would be useful (I think) to know whether withCredentials is being set by the client because the developer KNOWS that she will be passing credentials or whether it's just being set because the developer doesn't understand the CORS requirement (or perhaps just copied an existing bit of code).

Does that make sense?

Comment 4 by, Apr 15 2016

Yeah. I was also worried about the possibility that people are using some library or c&p code as you said with withCredentials just always set. But in Chrome, actual cookie generation, etc. happens inside net/ stack which is abstracted away from our Blink rendering engine. It would be more work to exchange the initiator information (XHR/Fetch is involved, some credentials were sent). So, let me just start with this method.

Comment 6 by, Apr 18 2016

Included from branch 2710. From data for 52.0.2710.0 (canary),

XMLHttpRequestCrossOriginWithCredentials / (XMLHttpRequestAsynchronous + XMLHttpRequestSynchronous) = ~30%

It's a lot.

Comment 7 by, Apr 18 2016

I would have guessed slightly lower - about 25% - but it's in the ballpark of what I would have guessed.

I was (am) involved in some discussions on the WHATWG forums (, where I said that my gut feeling is that the percentage of credentialed requests is higher than many people assume. This was in relation to the idea of making some of the new CORS features available for credentialed requests, since otherwise they wouldn't get the benefit.

Not that this proves anything (as you say, this is only on a canary release, so we can't extrapolate too much)...

Comment 8 by, Feb 20 2018

Owner: ----
Status: Available (was: Started)
The WHATWG issue has been closed.

For the record, these are the metrics used in the comment 6.

We could remove the histogram item now.

Sign in to add a comment