Re: CORS redirect behavior proposal

On Thu, Sep 24, 2009 at 9:00 AM, Anne van Kesteren <annevk@opera.com> wrote:
> I have now specified the approach we discussed:
>
>  http://dev.w3.org/2006/waf/access-control/
>
> For simple requests redirects are followed. For other cross-origin requests
> they are the equivalent of a network error. The Origin header is a
> U+0020-separated list of origins. Each time a redirect takes place an origin
> is added to the origin chain if it is not the same as the last origin that
> was added. The Access-Control-Allow-Origin header needs to be identical to
> the value of the Origin header, octet-for-octet.
>
> Let me know if I missed anything or if the draft is unclear.

I've updated draft-abarth-origin to match (and switched the header
name back from Sec-From to Origin):

http://www.ietf.org/id/draft-abarth-origin-03.txt

Thanks,
Adam

Received on Thursday, 24 September 2009 23:23:37 UTC