Re: [xhr2] cross site non-GET requests and redirects

On Mon, 06 Aug 2007 23:39:28 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Given domain A and B I wonder if it's a problem if when a request is  
>> done from A, B can feed information back to A (through the URL;  
>> http://domain-a.org/?data=data) without any sort of access check being  
>> done anywhere.
>
> Yeah, I've been thinking about this scenario too. I think I agree with  
> you actually, especially given that I don't see any good usecases for  
> not doing the check in this scenario.

Agree? I was just wondering :-) In any case, I could easily solve this in  
the specification by having a "has been non same-origin flag" which is set  
to "true" the moment you make a non same-origin request or you are  
redirected to a non-same origin location. Based on the value of that flag  
you would then decide to do an access check. Sounds reasonable? (Besides  
of course the already in place algorithms for a non-GET request to a  
same-origin server which redirects to a non same-origin server.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 7 August 2007 10:26:53 UTC