On 2012-09-08 08:23, Russ Allbery wrote:
Except... new trends in cross-site-scripting protection and privacy
requires you to be the host named in the browser location bar to set a
cookie.
Sure, but you are. When you do a GET to a WebAuth-protected site with an
expired token, you get a redirect to WebLogin followed by a redirect back
to the original site, which re-establishes your cookies and then gives you
the resource you asked for. As long as your AJAX follows those redirects,
and for a GET there's no reason why it wouldn't,
But following those redirects make you loose JavaScript state - which
doesn't make web developers happy.
Problems such as this really makes me think HTTP authentication
standardization have failed.
/Peter
