Re: More clarity about cookie handling

Hi Jon,

On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com>  
wrote:
> [...] is that the wording about cookies needs to be
> clearer. The specification now says:
>
> ----------------
> When making a cross-site access request user agents should ensure to:
>       ...
>       Not to expose any trusted data, such as cookies, HTTP header data,
>       inappropriately
> ----------------
>
> I worry that the language can be mis-interpreted or misunderstood. What
> seems "inappropriate" to you might be different than what something else
> thinks. My opinion (shared with other OpenAjax members) is that we would
> like to see language that is simpler and more direct, such as "cookies
> SHOULD NOT be sent with cross-site requests".

That is actually the requirement after that one and only applies to  
authors. I modified this requirement to make it more clear that it is  
about the response.

If there are any further things the specification should clarify please  
let me know. Thanks!

Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 12 December 2007 14:51:36 UTC