https://bugzilla.wikimedia.org/show_bug.cgi?id=19907
Krinkle <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #16 from Krinkle <[email protected]> 2011-12-29 11:25:26 UTC --- (In reply to comment #14) > The catch here is in the definition of "credentialed request". We don't want > this to mean "any request that passes a cookie" because that would be > excessive; rather, we want this to mean "any request that would actually use > the cookie information", i.e. requests with user-specific or privileged > things. Makes sense. Although it might get a bit complicated when put into perspective of the CORS point of view. So from the browser perspective, for requests that are NOT "credentialed" the browser will not send cookies that it has stored for that domain/path, meaning that the API will not receive them and user is treated as logged-out user. So it looks like this looks good for us on both sides (we can't cache user-specific stuff, user-specific stuff should be in a "credentialed request", CORS specification / browsers make it impossible for non "credentialed requests" to be user specific anyway. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
