RE: Accountability in AC4CSR

Ian Hickson wrote:
> On Thu, 7 Feb 2008, Close, Tyler J. wrote:
> > L. David Baron wrote:
> > >
> > > [...] This is already possible with things like the basic (map
> > > display) part of the Google Maps API only because there aren't
> > > cross-site restrictions on image loading  [...]
> > >
> > > In what cases is accountability for actions needed for such
> > > fully-public resources?
> >
> > It may not be, in which case the user authentication
> cookies are also
> > not needed. So public resources could be safely accessed by a design
> > that did not send user cookies with the cross-domain
> request. Sending
> > the cookies creates the issue of how to handle accountability.
>
> We'd still like cookies sent even for cross-site image
> requests for the
> Google Maps API, e.g. so that we can send user-personalised
> map tiles. For
> example, one could imagine that map tiles would be localised
> based on the
> user's preferences instead of based on geographic location or the
> embedder's language, in which case we'd need the cookie.

I'm assuming fetching of the map tiles is a GET operation, so it's conceivable that cookies could be sent for GET requests, and not for POST requests, under the rationale that RFC 2616 says that the server alone is accountable for the effects of Safe Methods, such as GET. This is getting a little complicated though, so I can't be sure its actually safe without some more thinking.

--Tyler

Received on Thursday, 7 February 2008 17:42:20 UTC