W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [AC] Defining cookieless requests

From: Arthur Barstow <art.barstow@nokia.com>
Date: Mon, 6 Oct 2008 15:17:08 -0400
Message-Id: <F2CA213A-93C1-4B69-879F-08D3BD76AB33@nokia.com>
Cc: Webapps WG <public-webapps@w3.org>
To: ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>

Jonas,

On Oct 3, 2008, at 12:55 PM, ext Jonas Sicking wrote:

>
> Anne van Kesteren wrote:
>> On Thu, 02 Oct 2008 01:24:34 +0200, Jonas Sicking  
>> <jonas@sicking.cc> wrote:
>>> I think it would be good if we more explicitly could define the  
>>> two, with cookies vs. without cookies, security modes for Access- 
>>> Control.
>>>
>>> Right now the spec talks about the with-credentials flag either  
>>> being true or false, however it doesn't really receive as much  
>>> attention as for example simple vs. preflighted requests.
>> That's because simple vs. preflight requests affect a lot of  
>> things. Whether or not cookies are included doesn't really.
>
> It changes enormously much security wise. More so than simple vs.  
> preflighted.

Do have some specific text to propose?

Perhaps some of the rationale in your original e-mail in this thread  
[1] could be leveraged.

-Regards, Art Barstow

[1] <<http://www.w3.org/mid/48E406B2.4050104@sicking.cc>


>
> / Jonas
>
Received on Monday, 6 October 2008 19:18:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT