W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: [xhr2] cross site non-GET requests and redirects

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 01 Aug 2007 17:22:16 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Web APIs WG" <public-webapi@w3.org>, "Ian Hickson" <ian@hixie.ch>
Message-ID: <op.twdznev564w2qv@annevk-t60.oslo.opera.com>

On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Also, what happens for same-origin which redirects to non same-origin  
>> which redirects to same-origin again. Do you perform an access check?
>
> In the implementation I've written, the decision weather to check access  
> control headers is done by comparing the final uri with the requesting  
> uri. So if you're redirected back to the original server no  
> access-control check is done.
>
> I'd be all ears if someone think we should do checks as soon as a  
> request has passed another domain at some point.

Given domain A and B I wonder if it's a problem if when a request is done  
 from A, B can feed information back to A (through the URL;  
http://domain-a.org/?data=data) without any sort of access check being  
done anywhere.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 1 August 2007 15:23:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT