Re: [XMLHttpRequest] withCredentials=false and returned cookies from David Levin on 2009-08-12 (public-webapps@w3.org from July to September 2009)

From: David Levin <levin@chromium.org>
Date: Tue, 11 Aug 2009 20:41:57 -0700
To: public-webapps@w3.org, Anne van Kesteren <annevk@opera.com>
Message-ID: <b902e34a0908112041x773ec877s1be843bbb4a8fbb8@mail.gmail.com>

It appears that both Safari and Firefox ignore returned cookies from a cross
origin xhr when the credentials flag is set to false.  This behavior seems
very reasonable.
Should the XMLHttpRequest level 2 spec indicate that this is the expected
behavior?
Dave

On Thu, Jul 30, 2009 at 11:46 AM, David Levin <levin@chromium.org> wrote:

> In http://www.w3.org/TR/XMLHttpRequest2/#credentials, it
> says: "The credentials flag ...indicates whether a non same origin request
> includes cookie and HTTP authentication data...during the send() algorithm."
>
> If withCredentials is false, it seems like the cookies returned from the
> request shouldn't be stored either, but I couldn't find mention of this.
> (Why should the cookies returned from this be stored and possibly interfere
> with same origin requests, especially if the cookies aren't being sent?)
>
> Is this true?
>
> thanks, dave
>
>

Received on Wednesday, 12 August 2009 03:42:36 UTC