[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

Hallvord Reiar Michaelsen Steen hallvord at hallvord.com
Fri Mar 11 07:11:26 PST 2005

On 10 Mar 2005 at 0:24, Chris Holland wrote:

> When requesting a different host, we don't want the user agent to be
> sending along cookies pertaining to that domain. Same goes for any
> cached HTTP Basic Auth credentials.

Why not? Given that we add a mechanism for letting the third-party 
server control access to resources on a resource-by-resource basis, I 
don't see why we would want to prevent the third-party server from 
using sessions / cookies. Authentication is mostly a GUI problem (and 
GUI has always been ridiculous for HTTP auth anyway, with no way to 
terminate a session). It would not be a good thing if a JS request in 
the background could cause a HTTP authentication popup for a user 
name / password unrelated to the site you're browsing, so I agree 
with disallowing that. Am I missing anything regarding cookies?
Hallvord Reiar Michaelsen Steen

Note: mail to hallvors at online.no will still be read but you may 
want to start using 
hallvord at hallvord.com instead

More information about the whatwg mailing list