On Sat, 03 May 2008 00:44:45 +0200, Ian Hickson <[EMAIL PROTECTED]> wrote:
I had lunch with sicking, dbaron, and Arun, and sicking proposed an interesting idea for how we could address their concerns with cookies being sent with AC/XHR2 requests.
I'm not really convinced we should do this. It complicates the model and it's not very clear which problem it would solve.
One of the arguments from Mozilla I distinctly remember was the copy-and-paste authoring cult and that if Firefox would be first, Firefox would also the only one being vulnerable in case a server became misconfigured. This concern is already being alleviated somewhat with WebKit implementing as well and this proposal wouldn't help with that because they might as well have copied the Access-Include-Credentials header too.
Also, since GET requests with cookies are already possible and OPTIONS requests with cookies are safe too, I don't really see why the explicit opt-in is needed.
So I'm not going to add this unless someone comes up with a more coherent story on why we need this.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
