- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 22 Jun 2008 01:50:32 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
Bjoern Hoehrmann wrote: > * Jonas Sicking wrote: >> First off, as before, when I talk about "cookies" in this mail I really >> mean cookies + digest auth headers + any other headers that carry the >> users credentials to a site. > > I don't quite see why you would mix these. Is there anywhere where I can > read up on the use cases for an extra feature to enable the transmission > of cookies if not included by default? Especially for users credentials > in cookies it is difficult to imagine real world applications that would > depend on or at least greatly benefit from such a feature. I'm not quite following what you are asking here. My proposal is about giving a site the ability to enable two "modes" of Access-Control: 1. Allow a third-party site to read the data on this resource, and/or perform unsafe methods in HTTP requests to this resource. When these requests are sent any cookie and/or auth headers (for the resource) are included in the request, just as if had been a same-site XHR request. 2. Same as above, but requests never include cookies or auth headers are never included. In the spec currently only mode 1 is possible. I suggest that we make mode 2 possible as well. I guess you can call it "opting out of cookies" as well... / Jonas
Received on Sunday, 22 June 2008 08:51:35 UTC