- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 30 Nov 2007 19:38:55 +0100
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>, public-appformats@w3.org
Thanks for your comments. I will reply again later when I make the draft more clear, but I thought it would be nice to point out some misunderstandings right away. On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > ---------------- > When making a cross-site access request user agents: > ... > * SHOULD NOT transmit cookies or HTTP header data > ---------------- Just a quick response. Cookies are transmitted if the user previously authenticated at the site the request goes towards. The idea is that cookie information in the _response_ is not revealed (responseXML.cookie for instance) and also that Web authors can not set cookie headers. > * I expect the words "HTTP header data" might need some work since the > specification does indicate that in some cases some HTTP headers are > sent. This is again, about the response. > * Although I haven't discovered any specific security problems, that > doesn't mean none exists. Agreed. :-) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 30 November 2007 18:43:33 UTC