Re: Opting in to cookies - proposal version 3 from Ian Hickson on 2008-06-20 (public-webapps@w3.org from April to June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jun 2008 05:55:46 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806200550340.13974@hixie.dreamhostps.com>

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> >
> > That is, your solution only works so long as the site doesn't ever opt in to
> > cookies. Which seems uncommon.
> 
> This is not true. You can opt in to cookies on just a subset of the URIs 
> where you opt in to Access-Control with my proposal.

But the _entire assumption_ here is that the author is unable to correctly 
apply these features to the right subset of his site. If the author was 
able to correctly apply these features to the appropriate subset, then we 
wouldn't need your feature in the first place.

> Additionally, this way you can make sure to ask the user always before 
> sending the Access-Control-With-Credentials header. This way the risk of 
> leaking private data without the user realizing is further reduced.

But we both know browsers aren't going to do this, or will offer a "never 
ask me again" checkbox. 

> > (I'm assuming that the case of providing data cross-domain for simple 
> > GET requests is most easily handled just by having that script send 
> > back the right magic, in which case none of this applies as the URI 
> > space is one URI and there are no preflights at all. For this use case 
> > we don't have to worry about cookies at all as the server just 
> > wouldn't look at them.)
> 
> I'm not following what you are saying here. What script is "that 
> script"? And what is the "right magic"?

The script that provides the data, and the right magic is the 
Access-Control header.

> I am just as concerned about GET requests as any other. In fact, all the 
> private data leaks I've heard about with crossdomain.xml has been 
> related to GET requests.

Right but for these GET requests there's no preflight, and thus no 
Access-Control-Policy, and thus no need for any of this. The target of the 
GET, if it's supposed to return data cross-site, can just give the header 
and ignore the cookies; there's no risk of anything affecting the wrong 
set of pages. Each page would be individually opted in.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 20 June 2008 05:56:26 UTC