[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
mikko.rantalainen at peda.net
Wed Mar 23 01:38:45 PST 2005
Hallvord Reiar Michaelsen Steen wrote:
> On 21 Mar 2005 at 17:57, Chris Holland wrote:
>>1) disable cookies for a ContextAgnosticHttpRequest
>>2) maintain an entirely separate cookie table for this request. the
>>question then becomes, do we maintain a separate cookie table for each
>>referring document? [...]
> Yes, sounds like that would really complicate browser cookie
> handling. A third way would be to discard previous cookies and not
> send any with the first request, but keep and send any cookies during
> subsequent http communication.
Discarding all cookies for a domain isn't an option. In that case, I
could delete all *your* cookies for any domain I want by simply
loading a resource from that host.
I think that the right thing to do is not to support cookies for
cross domain requests. If you need cookies, you have to use primary
server as a proxy.
More information about the whatwg