On Wed, 2 Dec 2009, Tyler Close wrote: (ietf-http-wg removed from the CC list) > """ > The SOP rule is something like: Don't follow a cross-domain redirect > of a PUT request, unless the redirect target has opted out of SOP > protection. > > So, upon seeing the 307 redirect, libcurl would report an error if the > origin of the Request-URI does not match the origin of the URL in the > Location header; otherwise, the redirect is followed. Until there's a > standard way for a resource to opt out of SOP, that's the best that > can be done. > """ Won't this get the user into the publicsuffix problem basically? I mean, if my company has two vhosts under a single domain, shouldn't they be perferctly possible to redirect back and forth between each other? foo.example.com redirecting a POST to bar.example.com That's quite different than foo.com redirecting to bar.com. But just as with cookies, we can't really tell the difference just by looking at the names - as the names don't reveal the topology. -- / daniel.haxx.seReceived on Thursday, 3 December 2009 07:37:40 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:00 GMT