- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 19 Jan 2010 08:00:19 +0100
- To: W3C WebApps WG <public-webapps@w3.org>
- Cc: public-web-security@w3.org, Thomas Roessler <tlr@w3.org>
Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified: http://www.w3.org/TR/XMLHttpRequest/#same-origin-request-event-rules > The same-origin request event rules are as follows: > > If the response is an HTTP redirect > > If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules. What does "does not violate security" mean? Is a same origin redirect the only redirect that's considered to "not violate security"? The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance). Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 19 January 2010 07:00:22 UTC