- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 07 May 2010 11:52:45 +0900
- To: "Tyler Close" <tyler.close@gmail.com>, "Maciej Stachowiak" <mjs@apple.com>
- Cc: "Mark S. Miller" <erights@google.com>, "WebApps WG" <public-webapps@w3.org>
On Fri, 09 Apr 2010 09:51:16 +0900, Maciej Stachowiak <mjs@apple.com> wrote: > On Apr 8, 2010, at 5:20 PM, Tyler Close wrote: >> This unique origin would still need to discard Set-Cookie response >> headers to prevent the accumulation of credentials associated with the >> unique origin. It would also need to prohibit the reuse of a TLS >> client authenticated connection or NTLM authenticated connection. It >> would also need to prevent use of cache entries populated by >> non-uniform requests. The CORS draft is also unclear on what happens >> with the Referer header. > > Good point. It seems like these should all be raised as issues on CORS. > I will do it if you don't beat me. I think some of this was already addressed, but I have recently done some more work on this as it seemed you both were too busy to file issues. I renamed "credentials" to "user credentials" to make it more clear what it was referring to: http://dev.w3.org/2006/waf/access-control/#user-credentials I added a requirement to not set cookies if the "credentials flag" is set, but I think in the end this would be better dealt with by passing a flag to the "fetch" algorithm defined in HTML5. The same goes for the Referer header. To that extent I have filed two bugs on HTML5: http://www.w3.org/Bugs/Public/show_bug.cgi?id=9603 http://www.w3.org/Bugs/Public/show_bug.cgi?id=9604 I expect Ian to address these to our satisfaction or provide an alternative solution that does. The comment about cache entries was not entirely clear to me. What is the problem with HTTP cache? Is the preflight result cache a problem? If there is anything I missed that would be good to know too. Thanks, -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 7 May 2010 02:53:42 UTC