W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Jun 2009 09:59:24 +0200
To: "Adam Barth" <w3c@adambarth.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Tyler Close" <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uvattajl64w2qv@annevk-t60>
On Wed, 10 Jun 2009 01:05:31 +0200, Adam Barth <w3c@adambarth.com> wrote:
> Either of these are fine with me.  I'll update the
> Origin-for-CSRF-defense draft to match whatever CORS would like to do
> here.

I'd prefer a space-separated list. Each time you encounter a cross-origin redirect you append a space and the new origin to the Origin header and use it in the next request. (This can lead to a single origin being listed multiple times. I think that is ok.) This way Web services can be moved cross-origin without breaking any usage of them. (E.g. if a Web service from startup.example is moved to bigco.example.)

Since nobody is handling redirects yet this should not be much of an issue.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 10 June 2009 08:00:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT