[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
Hallvord Reiar Michaelsen Steen
hallvord at hallvord.com
Fri Mar 11 07:11:26 PST 2005
On 10 Mar 2005 at 0:24, Chris Holland wrote:
> When requesting a different host, we don't want the user agent to be
> sending along cookies pertaining to that domain. Same goes for any
> cached HTTP Basic Auth credentials.
Why not? Given that we add a mechanism for letting the third-party
server control access to resources on a resource-by-resource basis, I
don't see why we would want to prevent the third-party server from
using sessions / cookies. Authentication is mostly a GUI problem (and
GUI has always been ridiculous for HTTP auth anyway, with no way to
terminate a session). It would not be a good thing if a JS request in
the background could cause a HTTP authentication popup for a user
name / password unrelated to the site you're browsing, so I agree
with disallowing that. Am I missing anything regarding cookies?
--
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/
Note: mail to hallvors at online.no will still be read but you may
want to start using
hallvord at hallvord.com instead
More information about the whatwg
mailing list