Cross-set XHR / XDR cookies by another name

There appears to be three main issues with including cookies in
cross-site XHR and/or XDR requests:

1) Integrity: Legacy servers might not realize the request is
cross-site and act based upon the cookies.
2) Privacy: Including the cookies lets sites more easily track users
across domains.
3) Ambient authority: Cookies, in general, authorize, but fail to
designate, actions.

One approach to dealing with issue (1) is include the cookies in a
header with a new name.  For example, instead of including the header
"Cookie: SID=98sSJs0djffj82w3" we could include the header:

XDomainRequestCookie: SID=98sSJs0djffj82w3

Legacy servers would ignore this header and not take action based on
the user's session identifier.  XDomainRequest-aware servers, however,
could read the new header and provide useful, user-specific services
based on its contents.  (Of course, cross-site XHR could use a similar


Received on Saturday, 17 May 2008 18:11:10 UTC