- From: Kenneth Russell <kbr@google.com>
- Date: Tue, 17 May 2011 15:15:07 -0700
On Tue, May 17, 2011 at 2:52 PM, Glenn Maynard <glenn at zewt.org> wrote: > On Tue, May 17, 2011 at 5:40 PM, Jonas Sicking <jonas at sicking.cc> wrote: >> >> If the "supports credentials" flag is set to false, the request will >> be made without cookies, and the server may respond with either >> "Access-Control-Allow-Origin:*" or "Access-Control-Allow-Origin: >> <origin>". >> >> I propose that the latter mode is used as it will make servers easier >> to configure as they can just add a static header to all their >> responses. > > This could be specified, eg. <img cors> without credentials and <img > cors="credentials"> with.? I don't know if there are use cases to justify > it. In general I think we need to enable as close behavior to the normal image fetching code path as possible. For example, a mashup might require you to be logged in to a site in order to display thumbnails of movie trailers. If normal image fetches send cookies, then it has to be possible to send them when doing a CORS request. I like the idea of <img cors> vs. <img cors="credentials">. -Ken
Received on Tuesday, 17 May 2011 15:15:07 UTC