- From: Adam Barth <public-webapi@adambarth.com>
- Date: Sat, 17 May 2008 11:10:26 -0700
- To: "public-webapi@w3.org" <public-webapi@w3.org>
- Cc: "Chris Wilson" <Chris.Wilson@microsoft.com>, "IE8 Core AJAX SWAT Team" <ieajax@microsoft.com>
There appears to be three main issues with including cookies in cross-site XHR and/or XDR requests: 1) Integrity: Legacy servers might not realize the request is cross-site and act based upon the cookies. 2) Privacy: Including the cookies lets sites more easily track users across domains. 3) Ambient authority: Cookies, in general, authorize, but fail to designate, actions. One approach to dealing with issue (1) is include the cookies in a header with a new name. For example, instead of including the header "Cookie: SID=98sSJs0djffj82w3" we could include the header: XDomainRequestCookie: SID=98sSJs0djffj82w3 Legacy servers would ignore this header and not take action based on the user's session identifier. XDomainRequest-aware servers, however, could read the new header and provide useful, user-specific services based on its contents. (Of course, cross-site XHR could use a similar approach.) Adam
Received on Saturday, 17 May 2008 18:11:10 UTC