Since Jonas didn't e-mail about this I thought I would. Say http://x.example/x does a request to http://y.example/y. http://y.example/y redirects to http://x.example/y. If this request were to use the Access Control specification the algorithm would have a status return flag set to "same-origin" and a url return flag set to http://x.example/y. XMLHttpRequest Level 2 would then attempt a same origin request to http://x.example/y. For simplicity and to err on the side of security it has been suggested to remove the status return flag "same-origin" and simply keep following the normal rules. This would mean that if that request were to be successful http://x.example/y would need to include Access-Control-Allow-Origin: http://x.example (or a value * would also be ok if the credentials flag is false). I'm planning on making this change in the next few days. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Friday, 3 October 2008 12:11:27 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:01 GMT