@reinboar I'm not sure yet whether I will make this serve static files only, or also support CGI and maybe FastCGI. If it's static only, cookies aren't really a threat anyway (as far as I understand, happy to be corrected). If it supports dynamic content, absolutely, the server will not pass cookies or referers to the applications, and it will not permit the applications to send cookies or eTags (which can be used as a sneaky cookie substitute).
@reinboar The browser automatically sends them along in the headers with any request to the server, based on the domain. The server has no way to request them directly. But a static site has no way to set them in the first place, or to interpret any that somehow got sent along, so until CGI arrives they're a non-threat.
@reinboar My definition of "static website" is basically "a bunch of files served from the disk", so there's no way for a static website to process a POST request. That fundamentally requires CGI, FastCGI, or some newfangled work-alike.
masto instance for the tildeverse