Re: Opting in to cookies - proposal version 3

On Thu, 19 Jun 2008 11:42:57 +0200, Ian Hickson <> wrote:
> On Thu, 19 Jun 2008, Jonas Sicking wrote:
>>> This has one side-effect, which is that it doesn't work well with XBL
>>> or VBWG in environments where the XBL file (or VXML file) is
>>> customised to the user but accessed cross-site. Is that ok?
>> It doesn't "work well" in the sense that they don't work out-of-the-box.
>> It would be trivial to add a load-private-data pseudo attribute to the
>> <?xbl?> PI that sets the "with credentials" flag to true.
>> However I can't think of a situation where someone wants to load private
>> XBL bindings so I'm totally ok with it being a bit more hassle. It might
>> be a bigger deal for VXML, I don't know since I've not looked at that
>> spec.
> Sounds fair to me. I'll add the attribute to XBL2 when it goes back to LC
> once implementations start, assuming we adopt this.

Ian, it seemed to me you were talking about the server side problem  
because <?access-control?> alone would not be enough. XBL being served  
would need to be served with the appropriate HTTP headers set. (Also, not  
just <?xbl?> would need to be changed but also the other APIs for  
attaching XBL would require changing I presume.)

Anne van Kesteren

Received on Thursday, 19 June 2008 10:23:57 UTC