- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 2 May 2008 22:44:45 +0000 (UTC)
- To: public-appformats@w3.org
I had lunch with sicking, dbaron, and Arun, and sicking proposed an interesting idea for how we could address their concerns with cookies being sent with AC/XHR2 requests. The proposal is basically that along with the Access-Control header, the user agent can include an Access-Include-Credentials header. If the header is present, then, when sending the request, the user agent includes cookies and HTTP author headers (if any apply) as well as a Sec-Credentials-Included header to indicate that cookies and auth tokens were included (since the Cookie header might not be present, for instance, if no cookies apply, and the server needs to distinguish the case of the cookies having been potentially hidden intentionally from the case where the cookies were simply not present). In the case of GET requests, the credentials would be omitted by default and if the response includes the Access-Include-Credentials then it would be sent again with credentials. The presence of Access-Include-Credentials would be cached along with the policy and subject to Access-Control-Max-Age. If this would resolve Mozilla's concerns, then I think we should take it. Of course if it doesn't actually resolve their concerns then ignore me. :-) Cheers, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 2 May 2008 22:45:25 UTC