[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
Hallvord R M Steen
hallvors at gmail.com
Sun Mar 27 07:34:20 PST 2005
On Wed, 23 Mar 2005 11:38:45 +0200, Mikko Rantalainen
<mikko.rantalainen at peda.net> wrote:
> > A third way would be to discard previous cookies and not
> > send any with the first request, but keep and send any cookies during
> > subsequent http communication.
> Discarding all cookies for a domain isn't an option. In that case, I
> could delete all *your* cookies for any domain I want by simply
> loading a resource from that host.
Excellent point, you're right.
> I think that the right thing to do is not to support cookies for
> cross domain requests. If you need cookies, you have to use primary
> server as a proxy.
..now that sounds like a complicated option..
Perhaps you are right. I'm not yet absolutely convinced that
webmasters need *that much* protection from themselves here but I note
that both you and Chris Holland think so..
Hallvord R. M. Steen
More information about the whatwg