I change my opinion. In the access control spec, I now see: 5.1 Simple Cross-Origin Request, Actual Request, and Redirects In response to a simple cross-origin request or actual request the resource indicates whether or not to share the response. If the resource has been relocated, it indicates whether to share its new URL. So I think in the case I asked about, the answer would be that the redirect should not be followed and it should be a security error. Please let me know if this interpretation is wrong. - a On Sat, Aug 15, 2009 at 3:40 PM, Aaron Boodman<aa@google.com> wrote: > What is supposed to happen in a UA that supports XMLHttpRequest Level > 2 when a cross-origin request redirects to a same-origin resource and > no access control headers are sent by either the client or server? > > It seems like the spec says this is supposed to succeed, but it isn't > super clear to me. If it is supposed to succeed, isn't there a worry > that the redirect itself (or lack thereof) could be an information > leak? > > - a >Received on Sunday, 16 August 2009 08:00:49 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:16 GMT