- From: Aaron Boodman <aa@google.com>
- Date: Sat, 15 Aug 2009 15:40:24 -0700
- To: "public-webapps@w3.org Group WG" <public-webapps@w3.org>
What is supposed to happen in a UA that supports XMLHttpRequest Level 2 when a cross-origin request redirects to a same-origin resource and no access control headers are sent by either the client or server? It seems like the spec says this is supposed to succeed, but it isn't super clear to me. If it is supposed to succeed, isn't there a worry that the redirect itself (or lack thereof) could be an information leak? - a
Received on Saturday, 15 August 2009 22:41:03 UTC