W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: More clarity about cookie handling

From: Thomas Roessler <tlr@w3.org>
Date: Sun, 13 Jan 2008 16:05:39 +0100
To: Anne van Kesteren <annevk@opera.com>
Cc: Jon Ferraiolo <jferrai@us.ibm.com>, public-appformats@w3.org
Message-ID: <20080113150539.GM262@iCoaster.does-not-exist.org>

On 2007-12-12 15:47:22 +0100, Anne van Kesteren wrote:

>> ----------------
>> When making a cross-site access request user agents should ensure to:
>>       ...
>>       Not to expose any trusted data, such as cookies, HTTP header data,
>>       inappropriately
>> ----------------

>> I worry that the language can be mis-interpreted or misunderstood. What
>> seems "inappropriate" to you might be different than what something else
>> thinks. My opinion (shared with other OpenAjax members) is that we would
>> like to see language that is simpler and more direct, such as "cookies
>> SHOULD NOT be sent with cross-site requests".

> That is actually the requirement after that one and only applies
> to authors.  I modified this requirement to make it more clear
> that it is about the response.

> If there are any further things the specification should clarify
> please let me know. Thanks!

Once more sitting on a train and catching up on e-mail... What ever
happened to this thread?  Where in the current spec language is this
handled?

It might be worth revisiting this one with a view toward the recent
JSONRequest discussion.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Sunday, 13 January 2008 16:44:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC