Re: Opting into cookies

On Sat, 03 May 2008 00:44:45 +0200, Ian Hickson <> wrote:
> I had lunch with sicking, dbaron, and Arun, and sicking proposed an
> interesting idea for how we could address their concerns with cookies
> being sent with AC/XHR2 requests.

I'm not really convinced we should do this. It complicates the model and  
it's not very clear which problem it would solve.

One of the arguments from Mozilla I distinctly remember was the  
copy-and-paste authoring cult and that if Firefox would be first, Firefox  
would also the only one being vulnerable in case a server became  
misconfigured. This concern is already being alleviated somewhat with  
WebKit implementing as well and this proposal wouldn't help with that  
because they might as well have copied the Access-Include-Credentials  
header too.

Also, since GET requests with cookies are already possible and OPTIONS  
requests with cookies are safe too, I don't really see why the explicit  
opt-in is needed.

So I'm not going to add this unless someone comes up with a more coherent  
story on why we need this.

Anne van Kesteren

Received on Saturday, 24 May 2008 08:46:32 UTC