W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2005

[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
Date: Fri, 11 Mar 2005 15:11:26 -0000
Message-ID: <4231C382.19898.683169B@localhost>
On 10 Mar 2005 at 0:24, Chris Holland wrote:

> When requesting a different host, we don't want the user agent to be
> sending along cookies pertaining to that domain. Same goes for any
> cached HTTP Basic Auth credentials.

Why not? Given that we add a mechanism for letting the third-party 
server control access to resources on a resource-by-resource basis, I 
don't see why we would want to prevent the third-party server from 
using sessions / cookies. Authentication is mostly a GUI problem (and 
GUI has always been ridiculous for HTTP auth anyway, with no way to 
terminate a session). It would not be a good thing if a JS request in 
the background could cause a HTTP authentication popup for a user 
name / password unrelated to the site you're browsing, so I agree 
with disallowing that. Am I missing anything regarding cookies?
Hallvord Reiar Michaelsen Steen

Note: mail to hallvors at online.no will still be read but you may 
want to start using 
hallvord at hallvord.com instead
Received on Friday, 11 March 2005 07:11:26 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:39 UTC