Re: CORS redirect behavior proposal

I have now specified the approach we discussed:

For simple requests redirects are followed. For other cross-origin  
requests they are the equivalent of a network error. The Origin header is  
a U+0020-separated list of origins. Each time a redirect takes place an  
origin is added to the origin chain if it is not the same as the last  
origin that was added. The Access-Control-Allow-Origin header needs to be  
identical to the value of the Origin header, octet-for-octet.

Let me know if I missed anything or if the draft is unclear.

On Thu, 24 Sep 2009 13:17:09 +0200, Anne van Kesteren <>  
> That would also allow multiple headers to be used I think. Since  
> Access-Control-Allow-Origin needs to have an identical value to the  
> Origin header I do not think that would work well. Well, it would  
> probably work, but would make all the processing a lot more complicated  
> than it needs to be. (I'd prefer it to just be a simple string  
> comparison.)
>>> What order would be best there?
>> I think the simplest thing is to list the origins in the order in
>> which the user agent encounters them (with adjacent duplicates
>> removed).
> That sounds reasonable.

Anne van Kesteren

Received on Thursday, 24 September 2009 16:01:18 UTC