Re: CORS redirect behavior proposal from Anne van Kesteren on 2009-09-23 (ietf-http-wg@w3.org from July to September 2009)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 23 Sep 2009 14:34:35 +0200
To: "Collin Jackson" <collin@collinjackson.com>, "Adam Barth" <w3c@adambarth.com>, "Mark Nottingham" <mnot@mnot.net>, "Ian Hickson" <ian@hixie.ch>, "HTTP Working Group" <ietf-http-wg@w3.org>, public-webapps@w3.org, "Tyler Close" <tyler.close@gmail.com>
Message-ID: <op.u0pmjxmx64w2qv@annevk-t60>

On Tue, 22 Sep 2009 20:38:46 +0200, Collin Jackson  
<collin@collinjackson.com> wrote:
> Proposal
>
> Same-origin redirects are allowed. Redirects from same-origin to
> cross-origin are also allowed. When processing a redirect from one
> foreign origin to another, the browser replaces the Origin header with
> "null". In this situation, the browser appends a Sec-Redirect-Chain
> header that allows sophisticated sites to see the list of origins that
> contributed to this request.

I don't think this works well with the preflight result cache. For more  
thoughts on that see this email:

   http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1000.html

I agree that it would be good to merge Origin and Sec-From. I've been  
thinking about a simplification of CORS that would make this possible  
while avoiding the complexity you run into with the preflight result cache.

My proposal is to make redirects not work for cross-origin requests with a  
preflight. That is, only make them work for simple cross-origin requests.  
For cross-origin requests with a preflight the redirect status codes would  
be the equivalent of a network error so we can in the future make changes  
there.

This would allow us to use CORS for the EventSource object (which uses the  
equivalent of a simple request). It would also make it possible to use it  
for <img>. Basically if the resource sharing check is successful we could  
add a flag to the <img> so that it does not taint the <canvas> allowing  
you to use images from a different server on the <canvas> element while  
keeping the ability to export image data.

For the scenarios where XMLHttpRequest is involved redirects would not  
work for now. Maybe something to address in CORS v2 or maybe it turns out  
it is not really needed.

For simple cross-origin requests Origin would be a space-separated list of  
origins indicating the redirect chain. What order would be best there?

This is more or less on what I'm planning to go with (will wait a day or  
so with specifying to allow for feedback) unless someone has a better idea  
that keeps things relatively simple and works with the preflight result  
cache.

Kind regards,

-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 23 September 2009 12:35:25 UTC