Re: Mozilla security review of Access Control

On Tue, 19 Feb 2008, Jonas Sicking wrote:
> 
> Should we send cookies and auth headers for cross site requests:
> For now we decided not to, but i'd like to bring this issue up in other forums
> too, will do so here shortly. This issue will not be dealt with tomorrow since
> it's simply to big to reach a conclusion.

For what it's worth, lack of user credentials on the request would make 
most uses of cross-domain XHR pretty much useless for us. We need to know 
who the user is so that we can affect their data, and we don't want to 
give the remote site access to those credentials.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 20 February 2008 21:26:41 UTC