W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Opting in to cookies - proposal

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 22 Jun 2008 01:50:32 -0700
Message-ID: <485E1258.1070707@sicking.cc>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Web Applications Working Group WG <public-webapps@w3.org>

Bjoern Hoehrmann wrote:
> * Jonas Sicking wrote:
>> First off, as before, when I talk about "cookies" in this mail I really
>> mean cookies + digest auth headers + any other headers that carry the
>> users credentials to a site.
> 
> I don't quite see why you would mix these. Is there anywhere where I can
> read up on the use cases for an extra feature to enable the transmission
> of cookies if not included by default? Especially for users credentials
> in cookies it is difficult to imagine real world applications that would
> depend on or at least greatly benefit from such a feature.

I'm not quite following what you are asking here. My proposal is about 
giving a site the ability to enable two "modes" of Access-Control:

1. Allow a third-party site to read the data on this resource, and/or
    perform unsafe methods in HTTP requests to this resource. When
    these requests are sent any cookie and/or auth headers (for the
    resource) are included in the request, just as if had been a
    same-site XHR request.
2. Same as above, but requests never include cookies or auth headers
    are never included.

In the spec currently only mode 1 is possible. I suggest that we make 
mode 2 possible as well. I guess you can call it "opting out of cookies" 
as well...

/ Jonas
Received on Sunday, 22 June 2008 08:51:35 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT