[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

On Wed, 23 Mar 2005 11:38:45 +0200, Mikko Rantalainen
<mikko.rantalainen at peda.net> wrote:

> > A third way would be to discard previous cookies and not
> > send any with the first request, but keep and send any cookies during
> > subsequent http communication.

> Discarding all cookies for a domain isn't an option. In that case, I
> could delete all *your* cookies for any domain I want by simply
> loading a resource from that host.

Excellent point, you're right.

> I think that the right thing to do is not to support cookies for
> cross domain requests. If you need cookies, you have to use primary
> server as a proxy.

..now that sounds like a complicated option..

Perhaps you are right. I'm not yet absolutely convinced that
webmasters need *that much* protection from themselves here but I note
that both you and Chris Holland think so..
Hallvord R. M. Steen

Received on Sunday, 27 March 2005 07:34:20 UTC