Opting into cookies

I had lunch with sicking, dbaron, and Arun, and sicking proposed an 
interesting idea for how we could address their concerns with cookies 
being sent with AC/XHR2 requests.

The proposal is basically that along with the Access-Control header, the 
user agent can include an Access-Include-Credentials header. If the header 
is present, then, when sending the request, the user agent includes 
cookies and HTTP author headers (if any apply) as well as a 
Sec-Credentials-Included header to indicate that cookies and auth tokens 
were included (since the Cookie header might not be present, for instance, 
if no cookies apply, and the server needs to distinguish the case of the 
cookies having been potentially hidden intentionally from the case where 
the cookies were simply not present). In the case of GET requests, the 
credentials would be omitted by default and if the response includes the 
Access-Include-Credentials then it would be sent again with credentials.

The presence of Access-Include-Credentials would be cached along with the 
policy and subject to Access-Control-Max-Age.

If this would resolve Mozilla's concerns, then I think we should take it. 
Of course if it doesn't actually resolve their concerns then ignore me. :-)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 2 May 2008 22:45:25 UTC