Close, Tyler J. wrote:
Sending the user's credentials without the user's consent creates a host of security problems, such as the one around headers the WG is currently struggling with and the one's I've written about on this list recently, without enabling any actually viable designs. For example, if the user's credentials are not used, and the target resource has to opt-in, it is OK to let the third-party web page specify whatever headers it wants, so long as the HTTP request is still well formed, since the third-party could have sent just such a request from its own machine.
All these problems exist even if we don't send cookies. The reason is intranet servers behind firewalls. These sites authenticate simply through the users ability to connect to the server.
I've argued this in the past (in a discussion on JSONRequest vs. AC iirc), that disabling cookies doesn't actually buy any reliably protection, but it does risk giving us (spec writers) a false sense of security.
/ Jonas
