W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [XMLHttpRequest] withCredentials=false and returned cookies

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 11 Aug 2009 21:55:50 -0700
Message-ID: <63df84f0908112155q57a86d8q789dc6cfba35af52@mail.gmail.com>
To: David Levin <levin@chromium.org>
Cc: public-webapps@w3.org, Anne van Kesteren <annevk@opera.com>
Indeed, otherwise there's a risk that existing cookies for the site
will be overwritten.

/ Jonas

On Tue, Aug 11, 2009 at 8:41 PM, David Levin<levin@chromium.org> wrote:
> It appears that both Safari and Firefox ignore returned cookies from a cross
> origin xhr when the credentials flag is set to false.  This behavior seems
> very reasonable.
> Should the XMLHttpRequest level 2 spec indicate that this is the expected
> behavior?
> Dave
>
> On Thu, Jul 30, 2009 at 11:46 AM, David Levin <levin@chromium.org> wrote:
>>
>> In http://www.w3.org/TR/XMLHttpRequest2/#credentials, it
>> says: "The credentials flag ...indicates whether a non same origin request
>> includes cookie and HTTP authentication data...during the send() algorithm."
>>
>> If withCredentials is false, it seems like the cookies returned from the
>> request shouldn't be stored either, but I couldn't find mention of this.
>> (Why should the cookies returned from this be stored and possibly interfere
>> with same origin requests, especially if the cookies aren't being sent?)
>> Is this true?
>> thanks, dave
>
>
Received on Wednesday, 12 August 2009 04:56:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT