- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 22 Jun 2008 01:50:32 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
Bjoern Hoehrmann wrote:
> * Jonas Sicking wrote:
>> First off, as before, when I talk about "cookies" in this mail I really
>> mean cookies + digest auth headers + any other headers that carry the
>> users credentials to a site.
>
> I don't quite see why you would mix these. Is there anywhere where I can
> read up on the use cases for an extra feature to enable the transmission
> of cookies if not included by default? Especially for users credentials
> in cookies it is difficult to imagine real world applications that would
> depend on or at least greatly benefit from such a feature.
I'm not quite following what you are asking here. My proposal is about
giving a site the ability to enable two "modes" of Access-Control:
1. Allow a third-party site to read the data on this resource, and/or
perform unsafe methods in HTTP requests to this resource. When
these requests are sent any cookie and/or auth headers (for the
resource) are included in the request, just as if had been a
same-site XHR request.
2. Same as above, but requests never include cookies or auth headers
are never included.
In the spec currently only mode 1 is possible. I suggest that we make
mode 2 possible as well. I guess you can call it "opting out of cookies"
as well...
/ Jonas
Received on Sunday, 22 June 2008 08:51:35 UTC