Ah okay. So that would never work. As things tagged with anonymous,
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore
Set-Cookie headers.
First of all, a CORS xhr request could be made with credentials (since
they're available in the view-source JavaScript)... the
I just read through this thread, and found it really interesting. Figured I
would chime in with my opinions, for whatever that's worth.
Firstly, let me explain I run a project called flXHR (http://flxhr.flensed.com)
which is an XHR clone variant with cross-domain Ajax capability (using