On Feb 19, 2008, at 17:11, Jon Ferraiolo wrote:
If you are going to consider requiring a preflight request where the server has to explicitly opt-in to custom headers before custom headers will be sent, how about requiring a preflight request where the server has to explicitly opt-in to cookies before cookies will be sent? That would help address the accountability issue that has been discussed recently.
Why should anyone need to be held accountable for performing a GET that could already be triggered with e.g. <img src='...'>? If a request causes an action that needs blame, surely such an action wouldn't be safe and idempotent.
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
