W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: More clarity about cookie handling

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 30 Nov 2007 19:38:55 +0100
To: "Jon Ferraiolo" <jferrai@us.ibm.com>, public-appformats@w3.org
Message-ID: <op.t2mbe5s764w2qv@annevk-t60.oslo.opera.com>

Thanks for your comments. I will reply again later when I make the draft  
more clear, but I thought it would be nice to point out some  
misunderstandings right away.

On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com>  
> ----------------
> When making a cross-site access request user agents:
> ...
> * SHOULD NOT transmit cookies or HTTP header data
> ----------------

Just a quick response. Cookies are transmitted if the user previously  
authenticated at the site the request goes towards. The idea is that  
cookie information in the _response_ is not revealed (responseXML.cookie  
for instance) and also that Web authors can not set cookie headers.

> * I expect the words "HTTP header data" might need some work since the
> specification does indicate that in some cases some HTTP headers are  
> sent.

This is again, about the response.

> * Although I haven't discovered any specific security problems, that
> doesn't mean none exists.

Agreed. :-)

Anne van Kesteren
Received on Friday, 30 November 2007 18:43:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC