- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 17 Mar 2009 21:56:52 +0100
- To: "Anne van Kesteren" <annevk@opera.com>, "WebApps WG" <public-webapps@w3.org>
On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <annevk@opera.com> wrote: > * cross-origin request with preflight, actual request > > If we want to follow redirects here at all we can only do it for > requests that do not require a preflight. Therefore I'm still not quite > convinced that we should honor 303 here because the headers might still > be dangerous and have not been checked prior to the request. I think > doing what the specification suggests here is safest. Alternatively, we could change the specification so that redirects are not followed, but that their contents (and maybe the Location header) are exposed to application authors if the resource sharing check works out ok. That way the details are still revealed but we do not have to get really complicated and perform a preflight request for every redirect that follows an actual request. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 17 March 2009 20:57:38 UTC