Re: More clarity about cookie handling

On 2007-12-12 15:47:22 +0100, Anne van Kesteren wrote:

>> ----------------
>> When making a cross-site access request user agents should ensure to:
>>       ...
>>       Not to expose any trusted data, such as cookies, HTTP header data,
>>       inappropriately
>> ----------------

>> I worry that the language can be mis-interpreted or misunderstood. What
>> seems "inappropriate" to you might be different than what something else
>> thinks. My opinion (shared with other OpenAjax members) is that we would
>> like to see language that is simpler and more direct, such as "cookies
>> SHOULD NOT be sent with cross-site requests".

> That is actually the requirement after that one and only applies
> to authors.  I modified this requirement to make it more clear
> that it is about the response.

> If there are any further things the specification should clarify
> please let me know. Thanks!

Once more sitting on a train and catching up on e-mail... What ever
happened to this thread?  Where in the current spec language is this

It might be worth revisiting this one with a view toward the recent
JSONRequest discussion.

Thomas Roessler, W3C  <>

Received on Sunday, 13 January 2008 16:44:12 UTC