Re: Opting in to cookies - proposal

Bjoern Hoehrmann wrote:
> * Jonas Sicking wrote:
>> First off, as before, when I talk about "cookies" in this mail I really
>> mean cookies + digest auth headers + any other headers that carry the
>> users credentials to a site.
> 
> I don't quite see why you would mix these. Is there anywhere where I can
> read up on the use cases for an extra feature to enable the transmission
> of cookies if not included by default? Especially for users credentials
> in cookies it is difficult to imagine real world applications that would
> depend on or at least greatly benefit from such a feature.

I'm not quite following what you are asking here. My proposal is about 
giving a site the ability to enable two "modes" of Access-Control:

1. Allow a third-party site to read the data on this resource, and/or
    perform unsafe methods in HTTP requests to this resource. When
    these requests are sent any cookie and/or auth headers (for the
    resource) are included in the request, just as if had been a
    same-site XHR request.
2. Same as above, but requests never include cookies or auth headers
    are never included.

In the spec currently only mode 1 is possible. I suggest that we make 
mode 2 possible as well. I guess you can call it "opting out of cookies" 
as well...

/ Jonas

Received on Sunday, 22 June 2008 08:51:35 UTC