W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Mark S. Miller <erights@google.com>
Date: Wed, 24 Jun 2009 20:25:13 -0700
Message-ID: <4d2fac900906242025m41674cfaje125e6530b2a3ed0@mail.gmail.com>
To: Adrian Bateman <adrianba@microsoft.com>
Cc: Anne van Kesteren <annevk@opera.com>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman <adrianba@microsoft.com>wrote:

> On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote:
> > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren <annevk@opera.com>
> wrote:
> > > I cannot comment on behalf of Opera on this. I can point out that
> Safari 4 and Chrome 2
> > > ship with it and that Firefox 3.5 will too. (No implementation will
> support redirects yet
> > > though, as I understand things.) Internet Explorer 8 supports a subset
> of the protocol.
> >
> > IIUC, the XDR subset IE8 supports does not include identified Origin or
> preflight,
> > and so avoids most of the problems created by full CORS. However, it
> still presents
> > user credentials (http auth, cookies, client-side certs, referer), and so
> still has
> > many of the same remaining ambient authority problems. Nevertheless, it
> remains a more
> > plausible starting point than identified Origin.
>
> IE8 strips user credentials such as cookies from XDR requests and supports
> only GET and POST. It does send the Origin header used for CORS and responds
> to Access-Control-Allow-Origin. We don't support preflight.
>

Hi Adrian, thanks for the clarification.

When you say it strips user credentials such as cookies, what about http
auth info, client side certs, and referrer?

Regarding the Origin header, how does XDR handle redirects?

-- 
   Cheers,
   --MarkM
Received on Thursday, 25 June 2009 03:25:54 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT