Cookies delivered over unencrypted channels create real risks to user privacy. Building on some of Mozilla's earlier work, I'd suggest that now's a good time to start deprecating them:https://github.com/mikewest/cookies-over-http-bad …
-
-
Hotter take: cookies _are_ bearer tokens.
-
No. Bearer tokens need to be passed explicitly. Cookies are transmitted automatically. The latter gives you XSRF. No cookies, no CORS worries.
-
Ok, that sounds fair. How would you suggest that browsers decide when to send tokens?
-
That's easy: never. (Not sure if practical, I'm just sitting on my bench here, brandishing my walking cane)
-
It is a very nice cane. :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.