There appears to be three main issues with including cookies in cross-site XHR and/or XDR requests:
1) Integrity: Legacy servers might not realize the request is cross-site and act based upon the cookies. 2) Privacy: Including the cookies lets sites more easily track users across domains. 3) Ambient authority: Cookies, in general, authorize, but fail to designate, actions. One approach to dealing with issue (1) is include the cookies in a header with a new name. For example, instead of including the header "Cookie: SID=98sSJs0djffj82w3" we could include the header: XDomainRequestCookie: SID=98sSJs0djffj82w3 Legacy servers would ignore this header and not take action based on the user's session identifier. XDomainRequest-aware servers, however, could read the new header and provide useful, user-specific services based on its contents. (Of course, cross-site XHR could use a similar approach.) Adam