On Wed, 06 Feb 2008 23:21:05 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
Thanks for presenting the cookie situation in this manner. One way to
address your concern is to not send cookies. As I have stated numerous
times, I don't think Access Control takes the best approach towards
addressing the cross-site problem, but nevertheless, if it goes forward
in a manner similar to what is in the spec today, I would prefer that it
not
send cookies. Or at a minimum, only transmit cookies if there is a prior
OPTIONS call where the cross-site server authorizes the browser to send
site B's cookies.
Cookies are already transmitted for cross-site requests today. For non-GET
requests a preflight request is made. You keep failing to provide a viable
scenario is to why either is an issue and yet you consistently e-mail this
list whenever you see a gap to complain about Access Control not taking
the best approach where the best approach is some trick we all have to
guess at. This is getting slightly annoying. Would it be possible to
provide clear rational instead of telling us what you prefer, what you
think, etc.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
