- From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
- Date: Fri, 11 Mar 2005 15:11:26 -0000
On 10 Mar 2005 at 0:24, Chris Holland wrote: > When requesting a different host, we don't want the user agent to be > sending along cookies pertaining to that domain. Same goes for any > cached HTTP Basic Auth credentials. Why not? Given that we add a mechanism for letting the third-party server control access to resources on a resource-by-resource basis, I don't see why we would want to prevent the third-party server from using sessions / cookies. Authentication is mostly a GUI problem (and GUI has always been ridiculous for HTTP auth anyway, with no way to terminate a session). It would not be a good thing if a JS request in the background could cause a HTTP authentication popup for a user name / password unrelated to the site you're browsing, so I agree with disallowing that. Am I missing anything regarding cookies? -- Hallvord Reiar Michaelsen Steen http://www.hallvord.com/ Note: mail to hallvors at online.no will still be read but you may want to start using hallvord at hallvord.com instead
Received on Friday, 11 March 2005 07:11:26 UTC