- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 06 Aug 2007 14:39:28 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: Web APIs WG <public-webapi@w3.org>, Ian Hickson <ian@hixie.ch>
Anne van Kesteren wrote: > > On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >>> Also, what happens for same-origin which redirects to non same-origin >>> which redirects to same-origin again. Do you perform an access check? >> >> In the implementation I've written, the decision weather to check >> access control headers is done by comparing the final uri with the >> requesting uri. So if you're redirected back to the original server no >> access-control check is done. >> >> I'd be all ears if someone think we should do checks as soon as a >> request has passed another domain at some point. > > Given domain A and B I wonder if it's a problem if when a request is > done from A, B can feed information back to A (through the URL; > http://domain-a.org/?data=data) without any sort of access check being > done anywhere. Yeah, I've been thinking about this scenario too. I think I agree with you actually, especially given that I don't see any good usecases for not doing the check in this scenario. / Jonas
Received on Monday, 6 August 2007 21:40:59 UTC