Hi Anne,
Great changes. One comment: On Jul 8, 2008, at 12:31 PM, Anne van Kesteren wrote:
* Access-Control-Credentials provides an opt in mechanism for credentials. Whether or not credentials are included in the request depends on the "credentials flag", which is set by a hosting specification. Preflight requests are always without credentials.
This does not match my understanding of what we agreed to at the face- to-face meeting, which was that cookies would be auto-negotiated for GET request by default for XHR2. Neither setting of the credentials flag matches this. We need to either replace the true value with negotiate mode, or make the flag a tri-state of true/false/negotiate, with XHR2 defaulting to negotiate.
Regards, Maciej
