There appears to be three main issues with including cookies in cross-site XHR and/or XDR requests: 1) Integrity: Legacy servers might not realize the request is cross-site and act based upon the cookies. 2) Privacy: Including the cookies lets sites more easily track users across domains. 3) Ambient authority: Cookies, in general, authorize, but fail to designate, actions. One approach to dealing with issue (1) is include the cookies in a header with a new name. For example, instead of including the header "Cookie: SID=98sSJs0djffj82w3" we could include the header: XDomainRequestCookie: SID=98sSJs0djffj82w3 Legacy servers would ignore this header and not take action based on the user's session identifier. XDomainRequest-aware servers, however, could read the new header and provide useful, user-specific services based on its contents. (Of course, cross-site XHR could use a similar approach.) AdamReceived on Saturday, 17 May 2008 18:11:10 UTC
This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:27 UTC