W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Cross-set XHR / XDR cookies by another name

From: Adam Barth <public-webapi@adambarth.com>
Date: Sat, 17 May 2008 11:10:26 -0700
Message-ID: <7789133a0805171110p35a0cdebq69e53c780d78bb93@mail.gmail.com>
To: "public-webapi@w3.org" <public-webapi@w3.org>
Cc: "Chris Wilson" <Chris.Wilson@microsoft.com>, "IE8 Core AJAX SWAT Team" <ieajax@microsoft.com>

There appears to be three main issues with including cookies in
cross-site XHR and/or XDR requests:

1) Integrity: Legacy servers might not realize the request is
cross-site and act based upon the cookies.
2) Privacy: Including the cookies lets sites more easily track users
across domains.
3) Ambient authority: Cookies, in general, authorize, but fail to
designate, actions.

One approach to dealing with issue (1) is include the cookies in a
header with a new name.  For example, instead of including the header
"Cookie: SID=98sSJs0djffj82w3" we could include the header:

XDomainRequestCookie: SID=98sSJs0djffj82w3

Legacy servers would ignore this header and not take action based on
the user's session identifier.  XDomainRequest-aware servers, however,
could read the new header and provide useful, user-specific services
based on its contents.  (Of course, cross-site XHR could use a similar
approach.)

Adam
Received on Saturday, 17 May 2008 18:11:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 17 May 2008 18:11:10 GMT