W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: Access control and cross-origin redirect question

From: Aaron Boodman <aa@google.com>
Date: Sun, 16 Aug 2009 01:00:08 -0700
Message-ID: <278fd46c0908160100u38a69a51m7aea92ba6f6b397e@mail.gmail.com>
To: "public-webapps@w3.org Group WG" <public-webapps@w3.org>
I change my opinion. In the access control spec, I now see:

5.1 Simple Cross-Origin Request, Actual Request, and Redirects
In response to a simple cross-origin request or actual request the
resource indicates whether or not to share the response.
If the resource has been relocated, it indicates whether to share its new URL.

So I think in the case I asked about, the answer would be that the
redirect should not be followed and it should be a security error.
Please let me know if this interpretation is wrong.

- a

On Sat, Aug 15, 2009 at 3:40 PM, Aaron Boodman<aa@google.com> wrote:
> What is supposed to happen in a UA that supports XMLHttpRequest Level
> 2 when a cross-origin request redirects to a same-origin resource and
> no access control headers are sent by either the client or server?
>
> It seems like the spec says this is supposed to succeed, but it isn't
> super clear to me. If it is supposed to succeed, isn't there a worry
> that the redirect itself (or lack thereof) could be an information
> leak?
>
> - a
>
Received on Sunday, 16 August 2009 08:00:49 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT