On Wed, Nov 10, 2010 at 2:43 PM, Getify <get...@gmail.com> wrote: >> Ah okay. So that would never work. As things tagged with "anonymous", >> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore >> Set-Cookie headers. > > First of all, a CORS xhr request could be made with credentials (since > they're available in the view-source JavaScript)... the question is whether > or not evil.com making such a request (using CORS) against bank.com with > credentials would in fact cause the SetCookie response header to be > interpreted by the browser in such a way that the browser's session cookie > for bank.com would be killed?
Yes, same way you can using <img src="http://bank.com/..."> > Secondly, are we sure that all implementations of CORS xhr are ignoring > SetCookie headers in the "without credentials" case? Please do try it. There isn't much the spec can do other then spec that they should. / Jonas