[cors] Set-Cookie / Referer / NTML / cache

On Fri, 09 Apr 2010 09:51:16 +0900, Maciej Stachowiak <mjs@apple.com>  
wrote:
> On Apr 8, 2010, at 5:20 PM, Tyler Close wrote:
>> This unique origin would still need to discard Set-Cookie response
>> headers to prevent the accumulation of credentials associated with the
>> unique origin. It would also need to prohibit the reuse of a TLS
>> client authenticated connection or NTLM authenticated connection. It
>> would also need to prevent use of cache entries populated by
>> non-uniform requests. The CORS draft is also unclear on what happens
>> with the Referer header.
>
> Good point. It seems like these should all be raised as issues on CORS.  
> I will do it if you don't beat me.

I think some of this was already addressed, but I have recently done some  
more work on this as it seemed you both were too busy to file issues. I  
renamed "credentials" to "user credentials" to make it more clear what it  
was referring to:

   http://dev.w3.org/2006/waf/access-control/#user-credentials

I added a requirement to not set cookies if the "credentials flag" is set,  
but I think in the end this would be better dealt with by passing a flag  
to the "fetch" algorithm defined in HTML5. The same goes for the Referer  
header. To that extent I have filed two bugs on HTML5:

   http://www.w3.org/Bugs/Public/show_bug.cgi?id=9603
   http://www.w3.org/Bugs/Public/show_bug.cgi?id=9604

I expect Ian to address these to our satisfaction or provide an  
alternative solution that does.


The comment about cache entries was not entirely clear to me. What is the  
problem with HTTP cache? Is the preflight result cache a problem?

If there is anything I missed that would be good to know too.


Thanks,


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 7 May 2010 02:53:42 UTC