RE: Mozilla security review of Access Control

Ian Hickson:
> On Tue, 19 Feb 2008, Jonas Sicking wrote:
> >
> > Should we send cookies and auth headers for cross site requests:
> > For now we decided not to, but i'd like to bring this issue
> up in other forums
> > too, will do so here shortly. This issue will not be dealt
> with tomorrow since
> > it's simply to big to reach a conclusion.
>
> For what it's worth, lack of user credentials on the request
> would make
> most uses of cross-domain XHR pretty much useless for us. We
> need to know
> who the user is so that we can affect their data, and we don't want to
> give the remote site access to those credentials.

Why couldn't your application could give the remote site access to different credentials that provide the information you need, but don't reveal the user's primary credentials?

--Tyler

Received on Thursday, 21 February 2008 01:05:17 UTC