W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

[cors] Redirects

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 17 Mar 2009 21:50:21 +0100
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uqyet7zi64w2qv@annevk-t60.oslo.opera.com>
I took another look at redirects today.

* simple cross-origin request

For this case redirects can simply be followed. Some redirects will cause  
the request method to be changed from HEAD, GET, or POST to GET. Per HTTP  
that would be 303. Per implementations that would be 301, 302, and 303.  
(Some implementations also change to GET for 307, some show some a  

* cross-origin request with preflight, preflight request

Since OPTIONS is safe it should just go through redirects apart from 303.  
We could special case 303 as Jonas suggested and not treat it as a  

* cross-origin request with preflight, actual request

If we want to follow redirects here at all we can only do it for requests  
that do not require a preflight. Therefore I'm still not quite convinced  
that we should honor 303 here because the headers might still be dangerous  
and have not been checked prior to the request. I think doing what the  
specification suggests here is safest.

Overall, I still think that the only change we possibly want to make is  
for preflight requests. I'd appreciate feedback!

Anne van Kesteren
Received on Tuesday, 17 March 2009 20:51:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC