Re: CORS redirect behavior proposal

I have now specified the approach we discussed:

   http://dev.w3.org/2006/waf/access-control/

For simple requests redirects are followed. For other cross-origin  
requests they are the equivalent of a network error. The Origin header is  
a U+0020-separated list of origins. Each time a redirect takes place an  
origin is added to the origin chain if it is not the same as the last  
origin that was added. The Access-Control-Allow-Origin header needs to be  
identical to the value of the Origin header, octet-for-octet.

Let me know if I missed anything or if the draft is unclear.


On Thu, 24 Sep 2009 13:17:09 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> That would also allow multiple headers to be used I think. Since  
> Access-Control-Allow-Origin needs to have an identical value to the  
> Origin header I do not think that would work well. Well, it would  
> probably work, but would make all the processing a lot more complicated  
> than it needs to be. (I'd prefer it to just be a simple string  
> comparison.)
>
>
>>> What order would be best there?
>>
>> I think the simplest thing is to list the origins in the order in
>> which the user agent encounters them (with adjacent duplicates
>> removed).
>
> That sounds reasonable.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Thursday, 24 September 2009 16:01:18 UTC