W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: CORS redirect behavior proposal

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 24 Sep 2009 18:00:27 +0200
To: "Adam Barth" <w3c@adambarth.com>
Cc: "Collin Jackson" <collin@collinjackson.com>, "Mark Nottingham" <mnot@mnot.net>, "Ian Hickson" <ian@hixie.ch>, "HTTP Working Group" <ietf-http-wg@w3.org>, public-webapps@w3.org, "Tyler Close" <tyler.close@gmail.com>
Message-ID: <op.u0rqq1ym64w2qv@annevk-t60>
I have now specified the approach we discussed:

   http://dev.w3.org/2006/waf/access-control/

For simple requests redirects are followed. For other cross-origin  
requests they are the equivalent of a network error. The Origin header is  
a U+0020-separated list of origins. Each time a redirect takes place an  
origin is added to the origin chain if it is not the same as the last  
origin that was added. The Access-Control-Allow-Origin header needs to be  
identical to the value of the Origin header, octet-for-octet.

Let me know if I missed anything or if the draft is unclear.


On Thu, 24 Sep 2009 13:17:09 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> That would also allow multiple headers to be used I think. Since  
> Access-Control-Allow-Origin needs to have an identical value to the  
> Origin header I do not think that would work well. Well, it would  
> probably work, but would make all the processing a lot more complicated  
> than it needs to be. (I'd prefer it to just be a simple string  
> comparison.)
>
>
>>> What order would be best there?
>>
>> I think the simplest thing is to list the origins in the order in
>> which the user agent encounters them (with adjacent duplicates
>> removed).
>
> That sounds reasonable.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 24 September 2009 16:01:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:10 GMT