Thanks for your comments. I will reply again later when I make the draft
more clear, but I thought it would be nice to point out some
misunderstandings right away.
On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
----------------
When making a cross-site access request user agents:
...
* SHOULD NOT transmit cookies or HTTP header data
----------------
Just a quick response. Cookies are transmitted if the user previously
authenticated at the site the request goes towards. The idea is that
cookie information in the _response_ is not revealed (responseXML.cookie
for instance) and also that Web authors can not set cookie headers.
* I expect the words "HTTP header data" might need some work since the
specification does indicate that in some cases some HTTP headers are
sent.
This is again, about the response.
* Although I haven't discovered any specific security problems, that
doesn't mean none exists.
Agreed. :-)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
