W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] Redirects

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 18 Mar 2009 12:23:30 +0100
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uqzi9gox64w2qv@annevk-t60.oslo.opera.com>
On Tue, 17 Mar 2009 21:56:52 +0100, Anne van Kesteren <annevk@opera.com>  
wrote:
> On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <annevk@opera.com>  
> wrote:
>> * cross-origin request with preflight, actual request
>>
>> If we want to follow redirects here at all we can only do it for  
>> requests that do not require a preflight. Therefore I'm still not quite  
>> convinced that we should honor 303 here because the headers might still  
>> be dangerous and have not been checked prior to the request. I think  
>> doing what the specification suggests here is safest.
>
> Alternatively, we could change the specification so that redirects are  
> not followed, but that their contents (and maybe the Location header)  
> are exposed to application authors if the resource sharing check works  
> out ok. That way the details are still revealed but we do not have to  
> get really complicated and perform a preflight request for every  
> redirect that follows an actual request.

Thinking about this some more I rather treat redirects as errors. I think  
that will work better as future extension point. It also is more  
consistent I think. They are either a point of error or are  
"transparently" followed.

So that leaves deciding what to do with a 303 on a preflight request. I'm  
leaning towards simply making it a network error.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 18 March 2009 11:24:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT