W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Access control and cross-origin redirect question

From: Aaron Boodman <aa@google.com>
Date: Sat, 15 Aug 2009 15:40:24 -0700
Message-ID: <278fd46c0908151540j62ef220ah13fca2d84a26a97b@mail.gmail.com>
To: "public-webapps@w3.org Group WG" <public-webapps@w3.org> 
What is supposed to happen in a UA that supports XMLHttpRequest Level
2 when a cross-origin request redirects to a same-origin resource and
no access control headers are sent by either the client or server?

It seems like the spec says this is supposed to succeed, but it isn't
super clear to me. If it is supposed to succeed, isn't there a worry
that the redirect itself (or lack thereof) could be an information
leak?

- a
Received on Saturday, 15 August 2009 22:41:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:16 GMT