On Fri, 09 Apr 2010 09:51:16 +0900, Maciej Stachowiak <[email protected]>
wrote:
On Apr 8, 2010, at 5:20 PM, Tyler Close wrote:
This unique origin would still need to discard Set-Cookie response
headers to prevent the accumulation of credentials associated with the
unique origin. It would also need to prohibit the reuse of a TLS
client authenticated connection or NTLM authenticated connection. It
would also need to prevent use of cache entries populated by
non-uniform requests. The CORS draft is also unclear on what happens
with the Referer header.
Good point. It seems like these should all be raised as issues on CORS.
I will do it if you don't beat me.
I think some of this was already addressed, but I have recently done some
more work on this as it seemed you both were too busy to file issues. I
renamed "credentials" to "user credentials" to make it more clear what it
was referring to:
http://dev.w3.org/2006/waf/access-control/#user-credentials
I added a requirement to not set cookies if the "credentials flag" is set,
but I think in the end this would be better dealt with by passing a flag
to the "fetch" algorithm defined in HTML5. The same goes for the Referer
header. To that extent I have filed two bugs on HTML5:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9603
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9604
I expect Ian to address these to our satisfaction or provide an
alternative solution that does.
The comment about cache entries was not entirely clear to me. What is the
problem with HTTP cache? Is the preflight result cache a problem?
If there is anything I missed that would be good to know too.
Thanks,
--
Anne van Kesteren
http://annevankesteren.nl/
