- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 21 Feb 2008 06:19:57 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 21 Feb 2008, Close, Tyler J. wrote: > Ian Hickson: > > On Tue, 19 Feb 2008, Jonas Sicking wrote: > > > > > > Should we send cookies and auth headers for cross site requests: For > > > now we decided not to, but i'd like to bring this issue up in other > > > forums too, will do so here shortly. This issue will not be dealt > > > with tomorrow since it's simply to big to reach a conclusion. > > > > For what it's worth, lack of user credentials on the request would > > make most uses of cross-domain XHR pretty much useless for us. We need > > to know who the user is so that we can affect their data, and we don't > > want to give the remote site access to those credentials. > > Why couldn't your application could give the remote site access to > different credentials that provide the information you need, but don't > reveal the user's primary credentials? If the command is something simple like adding an event to a calendar, the ideal UI doesn't involve the user doing anything in the way of giving credentials -- or indeed anything else -- to anyone. Just a click "add this event to my calendar" or some such. We still need to know who the user is. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 21 February 2008 06:20:10 UTC