On Jun 13, 2008, at 4:56 PM, Jonas Sicking wrote:
Hi All,
Since I haven't received any feedback on the various straw-men in
the "Opting in to cookies" thread, I'll send a full proposal (wrote
most of this yesterday, Thomas wrote some opinions on cookies this
morning).
First off, as before, when I talk about "cookies" in this mail I
really
mean cookies + digest auth headers + any other headers that carry the
users credentials to a site. However i'll just use the term "cookies"
for readability, and since that is on the web currently the most
common carrier of credentials.
So here goes:
When loading a resource using access-control associate the request
with
a "with credentials" flag.
When the resource is loaded using an URI which starts with the string
"user-private:" set the "with credentials" flag to true. Otherwise set
it to false.
How could an http or https URI start with the string "user-private:"?
Are you proposing a new URI scheme?
Regards,
Maciej