Brad Porter wrote:
Is there any chance you could make it a configurable user privacy/security option? "Send cookies with cross-site xhr requests" and default to "no". Then if a site does introduce a vulnerability it doesn't affect the masses and the workaround doesn't require switching to another browser altogether.
Technicall it's trivial to make it a user option. However I don't see how it makes any logical sense. If the default is to not send cookies then no server is going to want to rely in them being sent. And for the very tiny number of users that would tweak such a pref, they are very much exposing themselves to servers that do not expect cookies to be sent and will unchecked send private data when cookies are sent.
/ Jonas
