Re: Opting in to cookies - proposal

> Maciej Stachowiak wrote:
> >
> >
> > On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote:


> > I mean, I guess
> > it's possible people will do this, but people could add
> > "Access-Control-Allow-Credentials" site-wide too. And if we add
> > "Access-Control-Allow-Credentials-I-Really-Mean-It", they'll add even
> Yes, this is certainly a possibility. But my hope is that this will
> happen to a smaller extent.

I share the hope "smaller extent" hope with Jonas, and his latest proposals
look good to me.

My assumption is that 99% of all cross-site XHR usage will not require
credentials/cookies. Therefore, what makes sense is a simple way that
server developers can opt-in to credential-free cross-site XHR which tells
the browser to allow cross-site credential-free XHR to their site. Then, in
an advanced section of the AC spec, talk about how some workflows might
want credentials to be sent, and here is the extra header to enable
credentials (Access-Control-Allow-Credentials), but this section of the
spec should include SHOUTING TEXT about potential dangers and instruct the
developer that he should not enable transmission of credentials unless he
is sure that he needs it and he is sure that he knows what he is doing
(such as understanding what a CSRF attack is). I realize that some
developers won't read the spec carefully or notice the shouting text, but I
expect most tutorials and examples on the Web will follow the lead from the
spec and help to teach people steer clear of the
Access-Control-Allow-Credentials header unless they know what they are


Received on Thursday, 19 June 2008 21:39:49 UTC