W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [access-control] non same-origin to same-origin redirect

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 06 Oct 2008 16:07:13 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uilv6bx364w2qv@annevk-t60.oslo.opera.com>

On Fri, 03 Oct 2008 14:10:43 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> Since Jonas didn't e-mail about this I thought I would. Say  
> http://x.example/x does a request to http://y.example/y.  
> http://y.example/y redirects to http://x.example/y. If this request were  
> to use the Access Control specification the algorithm would have a  
> status return flag set to "same-origin" and a url return flag set to  
> http://x.example/y. XMLHttpRequest Level 2 would then attempt a same  
> origin request to http://x.example/y.
>
> For simplicity and to err on the side of security it has been suggested  
> to remove the status return flag "same-origin" and simply keep following  
> the normal rules. This would mean that if that request were to be  
> successful http://x.example/y would need to include  
> Access-Control-Allow-Origin: http://x.example (or a value * would also  
> be ok if the credentials flag is false). I'm planning on making this  
> change in the next few days.

I updated both Access Control and XMLHttpRequest Level 2 to no longer  
special case the scenario where during a non same origin request you're  
redirected to a same origin URL. Both specifications use the "status flag"  
(previously known as the "status return flag") and the "url return flag"  
is gone.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 6 October 2008 14:40:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT