On Wed, Nov 10, 2010 at 2:43 PM, Getify <getify@gmail.com> wrote: >> Ah okay. So that would never work. As things tagged with "anonymous", >> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore >> Set-Cookie headers. > > First of all, a CORS xhr request could be made with credentials (since > they're available in the view-source JavaScript)... the question is whether > or not evil.com making such a request (using CORS) against bank.com with > credentials would in fact cause the SetCookie response header to be > interpreted by the browser in such a way that the browser's session cookie > for bank.com would be killed? Yes, same way you can using <img src="http://bank.com/..."> > Secondly, are we sure that all implementations of CORS xhr are ignoring > SetCookie headers in the "without credentials" case? Please do try it. There isn't much the spec can do other then spec that they should. / JonasReceived on Wednesday, 10 November 2010 22:51:48 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:13 UTC