W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] Redirects

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 17 Mar 2009 21:56:52 +0100
To: "Anne van Kesteren" <annevk@opera.com>, "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uqye42yp64w2qv@annevk-t60.oslo.opera.com>
On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <annevk@opera.com>  
wrote:
> * cross-origin request with preflight, actual request
>
> If we want to follow redirects here at all we can only do it for  
> requests that do not require a preflight. Therefore I'm still not quite  
> convinced that we should honor 303 here because the headers might still  
> be dangerous and have not been checked prior to the request. I think  
> doing what the specification suggests here is safest.

Alternatively, we could change the specification so that redirects are not  
followed, but that their contents (and maybe the Location header) are  
exposed to application authors if the resource sharing check works out ok.  
That way the details are still revealed but we do not have to get really  
complicated and perform a preflight request for every redirect that  
follows an actual request.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 17 March 2009 20:57:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT