It appears that both Safari and Firefox ignore returned cookies from a cross origin xhr when the credentials flag is set to false. This behavior seems very reasonable. Should the XMLHttpRequest level 2 spec indicate that this is the expected behavior? Dave
On Thu, Jul 30, 2009 at 11:46 AM, David Levin <[email protected]> wrote: > In http://www.w3.org/TR/XMLHttpRequest2/#credentials, it > says: "The credentials flag ...indicates whether a non same origin request > includes cookie and HTTP authentication data...during the send() algorithm." > > If withCredentials is false, it seems like the cookies returned from the > request shouldn't be stored either, but I couldn't find mention of this. > (Why should the cookies returned from this be stored and possibly interfere > with same origin requests, especially if the cookies aren't being sent?) > > Is this true? > > thanks, dave > >
