W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: [widgets] WARP and redirects

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Wed, 22 Jun 2011 10:32:09 +0200
Message-ID: <4E01A889.7060501@gmail.com>
To: Robin Berjon <robin.berjon@gmail.com>
CC: public-webapps <public-webapps@w3.org>
On 6/20/11 12:57 PM, Robin Berjon wrote:
> On Jun 20, 2011, at 12:23 , Marcos Caceres wrote:
>> On Mon, Jun 20, 2011 at 11:41 AM, Robin
>> Berjon<robin.berjon@gmail.com>  wrote:
> You have origin restrictions in place. If you XHR to
> perfectly-legit.com and it redirects to something protected inside
> your network, unless you've used CORS to open up the latter (in which
> case you're begging to get hurt) then you won't get anything.

The use case I was thinking about more centered around images, scripts, 
and iframes, which are not really subject to CORS (though I can see how 
they could be). Anyway, we already have origin="*", so probably doesn't 
matter too much at this point.
Received on Wednesday, 22 June 2011 08:32:40 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT