- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 07 Feb 2008 12:13:13 +0100
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Wed, 06 Feb 2008 23:21:05 +0100, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > Thanks for presenting the cookie situation in this manner. One way to > address your concern is to not send cookies. As I have stated numerous > times, I don't think Access Control takes the best approach towards > addressing the cross-site problem, but nevertheless, if it goes forward > in a manner similar to what is in the spec today, I would prefer that it > not > send cookies. Or at a minimum, only transmit cookies if there is a prior > OPTIONS call where the cross-site server authorizes the browser to send > site B's cookies. Cookies are already transmitted for cross-site requests today. For non-GET requests a preflight request is made. You keep failing to provide a viable scenario is to why either is an issue and yet you consistently e-mail this list whenever you see a gap to complain about Access Control not taking the best approach where the best approach is some trick we all have to guess at. This is getting slightly annoying. Would it be possible to provide clear rational instead of telling us what you prefer, what you think, etc. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 7 February 2008 11:09:33 UTC