Hi Jon,
On Fri, 30 Nov 2007 19:03:46 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
[...] is that the wording about cookies needs to be
clearer. The specification now says:
----------------
When making a cross-site access request user agents should ensure to:
...
Not to expose any trusted data, such as cookies, HTTP header data,
inappropriately
----------------
I worry that the language can be mis-interpreted or misunderstood. What
seems "inappropriate" to you might be different than what something else
thinks. My opinion (shared with other OpenAjax members) is that we would
like to see language that is simpler and more direct, such as "cookies
SHOULD NOT be sent with cross-site requests".
That is actually the requirement after that one and only applies to
authors. I modified this requirement to make it more clear that it is
about the response.
If there are any further things the specification should clarify please
let me know. Thanks!
Kind regards,
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
