W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: Access control and cross-origin redirect question

From: Anne van Kesteren <annevk@opera.com>
Date: Sun, 16 Aug 2009 10:37:40 +0200
To: "Aaron Boodman" <aa@google.com>, "public-webapps@w3.org Group WG" <public-webapps@w3.org>
Message-ID: <op.uyqx82vb64w2qv@annevk-t60>
On Sun, 16 Aug 2009 10:00:08 +0200, Aaron Boodman <aa@google.com> wrote:
> I change my opinion. In the access control spec, I now see:
>
> 5.1 Simple Cross-Origin Request, Actual Request, and Redirects
> In response to a simple cross-origin request or actual request the
> resource indicates whether or not to share the response.
> If the resource has been relocated, it indicates whether to share its  
> new URL.
>
> So I think in the case I asked about, the answer would be that the
> redirect should not be followed and it should be a security error.
> Please let me know if this interpretation is wrong.

You're asking about user agent behavior and as such the answer cannot actually be found in the resource processing model section ;-) What you are looking for is described here:

  http://dev.w3.org/2006/waf/access-control/#redirect-steps

You are right however that for a cross-origin to same-origin redirect the headers need to be included. (The redirect steps include a note to that effect in case it was not directly clear from the algorithm.)

Having said all that, we have an outstanding issue with redirects that needs solving:

  http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1000.html

I haven't really given it another thought yet, as I'm hoping a few other people will take a crack at it first.

Cheers,


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Sunday, 16 August 2009 08:38:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT