Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<jonas@sicking.cc> wrote:
>> Firefox 3.5 will be out in a matter of days (RC available already) and
>> it supports the majority of CORS (everything but redirects of
>> preflighted requests).
>
> What is the behavior of the Origin header on other kinds of redirects?
> For example:
>
> 1. page from Site A does: POST text/plain to a URL at Site B
>
> 2. Site B responds with a redirect to a URL at Site A
>
> 3. User clicks through any presented redirect confirmation dialog
>
> 4. Browser sends the POST from step 1 to the specified URL at Site A.
>
> What is the value of the Origin header in step 4?

Which "Origin" are you referring to here?

The "Origin" header defined by the CORS spec is known to be bad and is
being worked on.  So I'm not sure it's interesting to discuss what the
CORS spec says here. (At least that was the status last I looked, I'm
a bit behind on the last few rounds of emails though).

As for the "Origin" spec that Adam Barth is working on, I'm not sure
that the last draft is published yet, but I believe that the idea is
to append the full redirect chain in the Origin header. (hence
possibly making it incompatible with the CORS "Origin" meaning that
we'll have to use another name).

So again, we do know there is a problem with the Origin header in the
CORS spec when it comes to redirects. It's a known outstanding issue
that we believe is fixable and not a reason to abandon the whole spec.

/ Jonas

Received on Wednesday, 24 June 2009 19:44:31 UTC