- From: Thomas Roessler <tlr@w3.org>
- Date: Sun, 13 Jan 2008 16:05:39 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Jon Ferraiolo <jferrai@us.ibm.com>, public-appformats@w3.org
On 2007-12-12 15:47:22 +0100, Anne van Kesteren wrote: >> ---------------- >> When making a cross-site access request user agents should ensure to: >> ... >> Not to expose any trusted data, such as cookies, HTTP header data, >> inappropriately >> ---------------- >> I worry that the language can be mis-interpreted or misunderstood. What >> seems "inappropriate" to you might be different than what something else >> thinks. My opinion (shared with other OpenAjax members) is that we would >> like to see language that is simpler and more direct, such as "cookies >> SHOULD NOT be sent with cross-site requests". > That is actually the requirement after that one and only applies > to authors. I modified this requirement to make it more clear > that it is about the response. > If there are any further things the specification should clarify > please let me know. Thanks! Once more sitting on a train and catching up on e-mail... What ever happened to this thread? Where in the current spec language is this handled? It might be worth revisiting this one with a view toward the recent JSONRequest discussion. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Sunday, 13 January 2008 16:44:12 UTC