- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 9 Jun 2009 16:05:31 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 3:40 PM, Jonas Sicking<jonas@sicking.cc> wrote: > I'm in general not a big fan of the redirect model in CORS, but this > one especially seems like a problem. One solution would be to include > the full redirect chain (or change the Origin to 'null') if > redirecting across servers with a non-safe HTTP method. Either of these are fine with me. I'll update the Origin-for-CSRF-defense draft to match whatever CORS would like to do here. Adam
Received on Tuesday, 9 June 2009 23:06:36 UTC