- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 12 Dec 2007 15:47:22 +0100
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>, public-appformats@w3.org
Hi Jon, On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > [...] is that the wording about cookies needs to be > clearer. The specification now says: > > ---------------- > When making a cross-site access request user agents should ensure to: > ... > Not to expose any trusted data, such as cookies, HTTP header data, > inappropriately > ---------------- > > I worry that the language can be mis-interpreted or misunderstood. What > seems "inappropriate" to you might be different than what something else > thinks. My opinion (shared with other OpenAjax members) is that we would > like to see language that is simpler and more direct, such as "cookies > SHOULD NOT be sent with cross-site requests". That is actually the requirement after that one and only applies to authors. I modified this requirement to make it more clear that it is about the response. If there are any further things the specification should clarify please let me know. Thanks! Kind regards, -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 12 December 2007 14:51:36 UTC