Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-13 Thread Jonas Sicking
On Thu, May 13, 2010 at 12:05 AM, Anne van Kesteren wrote: > On Wed, 12 May 2010 22:18:54 +0200, Jonas Sicking wrote: >> >> I don't think that is needed. If I understand it correctly, your >> concern is as follows: > > Hmm yeah... What about simplifying XMLHttpRequest though by removing > withCre

Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-13 Thread Anne van Kesteren
On Wed, 12 May 2010 22:18:54 +0200, Jonas Sicking wrote: I don't think that is needed. If I understand it correctly, your concern is as follows: Hmm yeah... What about simplifying XMLHttpRequest though by removing withCredentials? I think that would be a quite a good improvement especially

Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-12 Thread Jonas Sicking
On Wed, May 12, 2010 at 4:02 AM, Anne van Kesteren wrote: > Thanks a lot for explaining this Jonas! In theory this seems like a bug in > the server for not sending the appropriate Vary header, but it makes sense > to not rely on the server for doing the right thing. > > However, it seems this mean

Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-12 Thread Anne van Kesteren
Thanks a lot for explaining this Jonas! In theory this seems like a bug in the server for not sending the appropriate Vary header, but it makes sense to not rely on the server for doing the right thing. However, it seems this means we end up with three separate caches. One for requests incl

Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-11 Thread Jonas Sicking
On Thu, May 6, 2010 at 7:52 PM, Anne van Kesteren wrote: > On Fri, 09 Apr 2010 09:51:16 +0900, Maciej Stachowiak wrote: >> >> On Apr 8, 2010, at 5:20 PM, Tyler Close wrote: >>> >>> This unique origin would still need to discard Set-Cookie response >>> headers to prevent the accumulation of creden

Re: [cors] Set-Cookie / Referer / NTML / cache

2010-05-06 Thread Ian Hickson
On Fri, 7 May 2010, Anne van Kesteren wrote: > > http://www.w3.org/Bugs/Public/show_bug.cgi?id=9603 > http://www.w3.org/Bugs/Public/show_bug.cgi?id=9604 > > I expect Ian to address these to our satisfaction or provide an > alternative solution that does. These seem uncontroversial; I'll get t

[cors] Set-Cookie / Referer / NTML / cache

2010-05-06 Thread Anne van Kesteren
On Fri, 09 Apr 2010 09:51:16 +0900, Maciej Stachowiak wrote: On Apr 8, 2010, at 5:20 PM, Tyler Close wrote: This unique origin would still need to discard Set-Cookie response headers to prevent the accumulation of credentials associated with the unique origin. It would also need to prohibit th