W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Jun 2009 09:59:24 +0200
To: "Adam Barth" <w3c@adambarth.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Tyler Close" <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uvattajl64w2qv@annevk-t60>
On Wed, 10 Jun 2009 01:05:31 +0200, Adam Barth <w3c@adambarth.com> wrote:
> Either of these are fine with me.  I'll update the
> Origin-for-CSRF-defense draft to match whatever CORS would like to do
> here.

I'd prefer a space-separated list. Each time you encounter a cross-origin redirect you append a space and the new origin to the Origin header and use it in the next request. (This can lead to a single origin being listed multiple times. I think that is ok.) This way Web services can be moved cross-origin without breaking any usage of them. (E.g. if a Web service from startup.example is moved to bigco.example.)

Since nobody is handling redirects yet this should not be much of an issue.

Anne van Kesteren
Received on Wednesday, 10 June 2009 08:00:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:26 UTC