W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: [xhr2] cross site non-GET requests and redirects

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 07 Aug 2007 12:56:24 -0700
Message-ID: <46B8CE68.9010309@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>

Anne van Kesteren wrote:
> 
> On Mon, 06 Aug 2007 23:39:28 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>>> Given domain A and B I wonder if it's a problem if when a request is 
>>> done from A, B can feed information back to A (through the URL; 
>>> http://domain-a.org/?data=data) without any sort of access check 
>>> being done anywhere.
>>
>> Yeah, I've been thinking about this scenario too. I think I agree with 
>> you actually, especially given that I don't see any good usecases for 
>> not doing the check in this scenario.
> 
> Agree? I was just wondering :-) In any case, I could easily solve this 
> in the specification by having a "has been non same-origin flag" which 
> is set to "true" the moment you make a non same-origin request or you 
> are redirected to a non-same origin location. Based on the value of that 
> flag you would then decide to do an access check. Sounds reasonable? 
> (Besides of course the already in place algorithms for a non-GET request 
> to a same-origin server which redirects to a non same-origin server.)

Yes, this sounds good.

/ Jonas
Received on Tuesday, 7 August 2007 19:56:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT