W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

[XHR] same-origin request event rules are underspecified

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 19 Jan 2010 08:00:19 +0100
Message-Id: <A7AE3CE7-4EA4-4F8A-80E8-1C62492A8248@w3.org>
Cc: public-web-security@w3.org, Thomas Roessler <tlr@w3.org>
To: W3C WebApps WG <public-webapps@w3.org>
Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified:
   http://www.w3.org/TR/XMLHttpRequest/#same-origin-request-event-rules

> The same-origin request event rules are as follows:
> 
> 	If the response is an HTTP redirect
> 
> 		If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules.


What does "does not violate security" mean?  Is a same origin redirect the only redirect that's considered to "not violate security"?

The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance).

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 19 January 2010 07:00:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT