W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [cors] Set-Cookie / Referer / NTML / cache

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 12 May 2010 13:02:05 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Tyler Close" <tyler.close@gmail.com>, "Maciej Stachowiak" <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.vck99rsx64w2qv@annevk-t60>
Thanks a lot for explaining this Jonas! In theory this seems like a bug in  
the server for not sending the appropriate Vary header, but it makes sense  
to not rely on the server for doing the right thing.

However, it seems this means we end up with three separate caches. One for  
requests including user credentials, one for requests excluding user  
credentials but including Origin/Referer, and one for requests excluding  
user credentials and Origin/Referer. Is there really no way we can drop  
withCredentials on the floor at this point and encourage people to use  
AnonXMLHttpRequest() instead? withCredentials is annoying inconsistent  
depending on whether the request is same-origin or not and really not that  
good of a feature. Dropping it would not make sites insecure as they would  
still need to include Access-Control-Allow-Credentials.

I think this would give authors a much simpler and consistent API. Either  
you use AnonXMLHttpRequest which excludes user credentials and  
Origin/Referer or you use XMLHttpRequest. And the request semantics of  
both would not depend on other variables.


On Wed, 12 May 2010 00:12:30 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> The problem with cache is as follows:
>
> [...]
>
> The solution is to use separate HTTP caches for cookie-enabled and
> cookie-less requests (or to include the 'cookies enabled' flag as part
> of the key to the cache).
>
> The mozilla implementation similarly never reuses HTTP keep-alive
> connections between cookie-enabled and cookie-less requests. Nor
> shares ssh connections for https requests between cookie-enabled and
> cookie-less requests.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 12 May 2010 11:03:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT