W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [cors] Failed sharing check and cookies

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 11 Oct 2011 13:20:40 +0900
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.v256cq2f64w2qv@annevk-macbookpro.local>
On Tue, 11 Oct 2011 12:53:35 +0900, Anne van Kesteren <annevk@opera.com>  
wrote:
> Currently if a resource sharing check fails cookies will still be set  
> for a credentialed request similarly to how they would be with <form> or  
> <img>. However, it seems that HTML defines for <img crossorigin> that  
> the UA must act as if there was no response at all. That does not work  
> of course for the normal <img> case where the server could still opt in  
> to sharing, but would work for XMLHttpRequest.
>
> I think I will try to adopt that stricter behavior. Please speak up if  
> you disagree.

To make it more clear, currently if you XHR from A to B with  
withCredentials set to true, and B does a Set-Cookie, cookies will be set  
for B regardless of whether the resource sharing check for B passes or  
fails.

If you do <img crossorigin> from A to B, and a resource sharing check for  
B fails, cookies must not be set (per my reading of the HTML  
specification).

The question is whether XHR should align with this behavior.


On IRC sicking brought up this might be harder for Gecko because of their  
HTTP library implementation (they currently do not conform for <img  
crossorigin> therefore). Is this an issue for WebKit? For Opera it does  
not matter, but we prefer the stricter behavior.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 11 October 2011 04:21:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT