W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

[access-control] non same-origin to same-origin redirect

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 03 Oct 2008 14:10:43 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uif6r50h64w2qv@annevk-t60.oslo.opera.com>

Since Jonas didn't e-mail about this I thought I would. Say  
http://x.example/x does a request to http://y.example/y.  
http://y.example/y redirects to http://x.example/y. If this request were  
to use the Access Control specification the algorithm would have a status  
return flag set to "same-origin" and a url return flag set to  
http://x.example/y. XMLHttpRequest Level 2 would then attempt a same  
origin request to http://x.example/y.

For simplicity and to err on the side of security it has been suggested to  
remove the status return flag "same-origin" and simply keep following the  
normal rules. This would mean that if that request were to be successful  
http://x.example/y would need to include Access-Control-Allow-Origin:  
http://x.example (or a value * would also be ok if the credentials flag is  
false). I'm planning on making this change in the next few days.

Anne van Kesteren
Received on Friday, 3 October 2008 12:11:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC