[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

Hallvord Reiar Michaelsen Steen wrote:
> On 21 Mar 2005 at 17:57, Chris Holland wrote:
>>1) disable cookies for a ContextAgnosticHttpRequest
>>2) maintain an entirely separate cookie table for this request. the
>>question then becomes, do we maintain a separate cookie table for each
>>referring document? [...]
> Yes, sounds like that would really complicate browser cookie 
> handling. A third way would be to discard previous cookies and not 
> send any with the first request, but keep and send any cookies during 
> subsequent http communication.

Discarding all cookies for a domain isn't an option. In that case, I 
could delete all *your* cookies for any domain I want by simply 
loading a resource from that host.

I think that the right thing to do is not to support cookies for 
cross domain requests. If you need cookies, you have to use primary 
server as a proxy.


Received on Wednesday, 23 March 2005 01:38:45 UTC