- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 07 Aug 2007 12:26:23 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Web APIs WG" <public-webapi@w3.org>, "Ian Hickson" <ian@hixie.ch>
On Mon, 06 Aug 2007 23:39:28 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Given domain A and B I wonder if it's a problem if when a request is >> done from A, B can feed information back to A (through the URL; >> http://domain-a.org/?data=data) without any sort of access check being >> done anywhere. > > Yeah, I've been thinking about this scenario too. I think I agree with > you actually, especially given that I don't see any good usecases for > not doing the check in this scenario. Agree? I was just wondering :-) In any case, I could easily solve this in the specification by having a "has been non same-origin flag" which is set to "true" the moment you make a non same-origin request or you are redirected to a non-same origin location. Based on the value of that flag you would then decide to do an access check. Sounds reasonable? (Besides of course the already in place algorithms for a non-GET request to a same-origin server which redirects to a non same-origin server.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 7 August 2007 10:26:53 UTC