W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [XMLHttpRequest] withCredentials=false and returned cookies

From: David Levin <levin@chromium.org>
Date: Tue, 11 Aug 2009 20:41:57 -0700
Message-ID: <b902e34a0908112041x773ec877s1be843bbb4a8fbb8@mail.gmail.com>
To: public-webapps@w3.org, Anne van Kesteren <annevk@opera.com>
It appears that both Safari and Firefox ignore returned cookies from a cross
origin xhr when the credentials flag is set to false.  This behavior seems
very reasonable.
Should the XMLHttpRequest level 2 spec indicate that this is the expected
behavior?
Dave

On Thu, Jul 30, 2009 at 11:46 AM, David Levin <levin@chromium.org> wrote:

> In http://www.w3.org/TR/XMLHttpRequest2/#credentials, it
> says: "The credentials flag ...indicates whether a non same origin request
> includes cookie and HTTP authentication data...during the send() algorithm."
>
> If withCredentials is false, it seems like the cookies returned from the
> request shouldn't be stored either, but I couldn't find mention of this.
> (Why should the cookies returned from this be stored and possibly interfere
> with same origin requests, especially if the cookies aren't being sent?)
>
> Is this true?
>
> thanks, dave
>
>
Received on Wednesday, 12 August 2009 03:42:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT