- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 01 Aug 2007 17:22:16 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Web APIs WG" <public-webapi@w3.org>, "Ian Hickson" <ian@hixie.ch>
On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Also, what happens for same-origin which redirects to non same-origin >> which redirects to same-origin again. Do you perform an access check? > > In the implementation I've written, the decision weather to check access > control headers is done by comparing the final uri with the requesting > uri. So if you're redirected back to the original server no > access-control check is done. > > I'd be all ears if someone think we should do checks as soon as a > request has passed another domain at some point. Given domain A and B I wonder if it's a problem if when a request is done from A, B can feed information back to A (through the URL; http://domain-a.org/?data=data) without any sort of access check being done anywhere. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 1 August 2007 15:23:33 UTC