W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: More clarity about cookie handling

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 12 Dec 2007 15:47:22 +0100
To: "Jon Ferraiolo" <jferrai@us.ibm.com>, public-appformats@w3.org
Message-ID: <op.t278o8x064w2qv@annevk-t60.oslo.opera.com>

Hi Jon,

On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com>  
wrote:
> [...] is that the wording about cookies needs to be
> clearer. The specification now says:
>
> ----------------
> When making a cross-site access request user agents should ensure to:
>       ...
>       Not to expose any trusted data, such as cookies, HTTP header data,
>       inappropriately
> ----------------
>
> I worry that the language can be mis-interpreted or misunderstood. What
> seems "inappropriate" to you might be different than what something else
> thinks. My opinion (shared with other OpenAjax members) is that we would
> like to see language that is simpler and more direct, such as "cookies
> SHOULD NOT be sent with cross-site requests".

That is actually the requirement after that one and only applies to  
authors. I modified this requirement to make it more clear that it is  
about the response.

If there are any further things the specification should clarify please  
let me know. Thanks!

Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 12 December 2007 14:51:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT