- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 24 Jun 2009 12:43:31 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<tyler.close@gmail.com> wrote: > On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<jonas@sicking.cc> wrote: >> Firefox 3.5 will be out in a matter of days (RC available already) and >> it supports the majority of CORS (everything but redirects of >> preflighted requests). > > What is the behavior of the Origin header on other kinds of redirects? > For example: > > 1. page from Site A does: POST text/plain to a URL at Site B > > 2. Site B responds with a redirect to a URL at Site A > > 3. User clicks through any presented redirect confirmation dialog > > 4. Browser sends the POST from step 1 to the specified URL at Site A. > > What is the value of the Origin header in step 4? Which "Origin" are you referring to here? The "Origin" header defined by the CORS spec is known to be bad and is being worked on. So I'm not sure it's interesting to discuss what the CORS spec says here. (At least that was the status last I looked, I'm a bit behind on the last few rounds of emails though). As for the "Origin" spec that Adam Barth is working on, I'm not sure that the last draft is published yet, but I believe that the idea is to append the full redirect chain in the Origin header. (hence possibly making it incompatible with the CORS "Origin" meaning that we'll have to use another name). So again, we do know there is a problem with the Origin header in the CORS spec when it comes to redirects. It's a known outstanding issue that we believe is fixable and not a reason to abandon the whole spec. / Jonas
Received on Wednesday, 24 June 2009 19:44:31 UTC