Re: CORS redirect behavior proposal

On Thu, Sep 24, 2009 at 9:00 AM, Anne van Kesteren <> wrote:
> I have now specified the approach we discussed:
> For simple requests redirects are followed. For other cross-origin requests
> they are the equivalent of a network error. The Origin header is a
> U+0020-separated list of origins. Each time a redirect takes place an origin
> is added to the origin chain if it is not the same as the last origin that
> was added. The Access-Control-Allow-Origin header needs to be identical to
> the value of the Origin header, octet-for-octet.
> Let me know if I missed anything or if the draft is unclear.

I've updated draft-abarth-origin to match (and switched the header
name back from Sec-From to Origin):


Received on Thursday, 24 September 2009 23:23:37 UTC