W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr2] cross site non-GET requests and redirects

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 27 Jul 2007 12:11:08 -0700
Message-ID: <46AA434C.9050404@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>

Anne van Kesteren wrote:
> It seems nicer however to not restrict it to XMLHttpRequest and define 
> the entire retrieval algorithm in the access-control specification 
> including how it works for other methods and in face of redirects.

I agree. I don't really want to hold up the [ac] spec though. At the 
same time we're shipping experimental support in the next firefox alpha 
release so the sooner we can get this all defined the better.

> By the way, a request to a same-origin redirect that redirects to a non 
> same-origin resource should also work I suppose? Or is there some reason 
> you need to know in advance you're going to make a non same-origin request?

For GET requests I don't see a reason to not allow redirects from 
same-origin to another server.

For POST and other methods it is a bit more complicated since you at the 
point of the redirect have to switch to sending out a GET requests first 
to make sure that the POST is safe. At least in mozilla we can't stall 
the redirect while waiting for the GET to finish. It is probably 
possible though to cancel the initial request, fire the GET request, and 
then perform the redirect. Would be good to get other implementors input 
on this.

/ Jonas
Received on Friday, 27 July 2007 19:11:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT