Bjoern Hoehrmann wrote:
* Jonas Sicking wrote:
First off, as before, when I talk about "cookies" in this mail I really
mean cookies + digest auth headers + any other headers that carry the
users credentials to a site.
I don't quite see why you would mix these. Is there anywhere where I can
read up on the use cases for an extra feature to enable the transmission
of cookies if not included by default? Especially for users credentials
in cookies it is difficult to imagine real world applications that would
depend on or at least greatly benefit from such a feature.
I'm not quite following what you are asking here. My proposal is about
giving a site the ability to enable two "modes" of Access-Control:
1. Allow a third-party site to read the data on this resource, and/or
perform unsafe methods in HTTP requests to this resource. When
these requests are sent any cookie and/or auth headers (for the
resource) are included in the request, just as if had been a
same-site XHR request.
2. Same as above, but requests never include cookies or auth headers
are never included.
In the spec currently only mode 1 is possible. I suggest that we make
mode 2 possible as well. I guess you can call it "opting out of cookies"
as well...
/ Jonas
