W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: [xhr2] cross site non-GET requests and redirects

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 06 Aug 2007 14:39:28 -0700
Message-ID: <46B79510.5080604@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>

Anne van Kesteren wrote:
> 
> On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>>> Also, what happens for same-origin which redirects to non same-origin 
>>> which redirects to same-origin again. Do you perform an access check?
>>
>> In the implementation I've written, the decision weather to check 
>> access control headers is done by comparing the final uri with the 
>> requesting uri. So if you're redirected back to the original server no 
>> access-control check is done.
>>
>> I'd be all ears if someone think we should do checks as soon as a 
>> request has passed another domain at some point.
> 
> Given domain A and B I wonder if it's a problem if when a request is 
> done from A, B can feed information back to A (through the URL; 
> http://domain-a.org/?data=data) without any sort of access check being 
> done anywhere.

Yeah, I've been thinking about this scenario too. I think I agree with 
you actually, especially given that I don't see any good usecases for 
not doing the check in this scenario.

/ Jonas
Received on Monday, 6 August 2007 21:40:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT