W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 24 Jun 2009 12:52:40 -0700
Message-ID: <5691356f0906241252i52b5c34dh4a4c9e3013a16408@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Hi Jonas,

I'm just asking what Origin header behavior will be shipped in Firefox
3.5. You've said redirects of preflighted requests aren't supported,
so I'm wondering about the non-preflighted requests.

Another question, since Firefox doesn't support redirects of
preflighted requests, what does it do when it encounters a redirect?

--Tyler

On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking<jonas@sicking.cc> wrote:
> On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<tyler.close@gmail.com> wrote:
>> On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<jonas@sicking.cc> wrote:
>>> Firefox 3.5 will be out in a matter of days (RC available already) and
>>> it supports the majority of CORS (everything but redirects of
>>> preflighted requests).
>>
>> What is the behavior of the Origin header on other kinds of redirects?
>> For example:
>>
>> 1. page from Site A does: POST text/plain to a URL at Site B
>>
>> 2. Site B responds with a redirect to a URL at Site A
>>
>> 3. User clicks through any presented redirect confirmation dialog
>>
>> 4. Browser sends the POST from step 1 to the specified URL at Site A.
>>
>> What is the value of the Origin header in step 4?
>
> Which "Origin" are you referring to here?
>
> The "Origin" header defined by the CORS spec is known to be bad and is
> being worked on.  So I'm not sure it's interesting to discuss what the
> CORS spec says here. (At least that was the status last I looked, I'm
> a bit behind on the last few rounds of emails though).
>
> As for the "Origin" spec that Adam Barth is working on, I'm not sure
> that the last draft is published yet, but I believe that the idea is
> to append the full redirect chain in the Origin header. (hence
> possibly making it incompatible with the CORS "Origin" meaning that
> we'll have to use another name).
>
> So again, we do know there is a problem with the Origin header in the
> CORS spec when it comes to redirects. It's a known outstanding issue
> that we believe is fixable and not a reason to abandon the whole spec.
>
> / Jonas
>



-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 24 June 2009 19:53:21 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT