- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 06 Oct 2008 16:07:13 +0200
- To: "WebApps WG" <public-webapps@w3.org>
On Fri, 03 Oct 2008 14:10:43 +0200, Anne van Kesteren <annevk@opera.com> wrote: > Since Jonas didn't e-mail about this I thought I would. Say > http://x.example/x does a request to http://y.example/y. > http://y.example/y redirects to http://x.example/y. If this request were > to use the Access Control specification the algorithm would have a > status return flag set to "same-origin" and a url return flag set to > http://x.example/y. XMLHttpRequest Level 2 would then attempt a same > origin request to http://x.example/y. > > For simplicity and to err on the side of security it has been suggested > to remove the status return flag "same-origin" and simply keep following > the normal rules. This would mean that if that request were to be > successful http://x.example/y would need to include > Access-Control-Allow-Origin: http://x.example (or a value * would also > be ok if the credentials flag is false). I'm planning on making this > change in the next few days. I updated both Access Control and XMLHttpRequest Level 2 to no longer special case the scenario where during a non same origin request you're redirected to a same origin URL. Both specifications use the "status flag" (previously known as the "status return flag") and the "url return flag" is gone. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 6 October 2008 14:40:34 UTC