- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 24 Jun 2009 12:52:40 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Hi Jonas, I'm just asking what Origin header behavior will be shipped in Firefox 3.5. You've said redirects of preflighted requests aren't supported, so I'm wondering about the non-preflighted requests. Another question, since Firefox doesn't support redirects of preflighted requests, what does it do when it encounters a redirect? --Tyler On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking<jonas@sicking.cc> wrote: > On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<tyler.close@gmail.com> wrote: >> On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<jonas@sicking.cc> wrote: >>> Firefox 3.5 will be out in a matter of days (RC available already) and >>> it supports the majority of CORS (everything but redirects of >>> preflighted requests). >> >> What is the behavior of the Origin header on other kinds of redirects? >> For example: >> >> 1. page from Site A does: POST text/plain to a URL at Site B >> >> 2. Site B responds with a redirect to a URL at Site A >> >> 3. User clicks through any presented redirect confirmation dialog >> >> 4. Browser sends the POST from step 1 to the specified URL at Site A. >> >> What is the value of the Origin header in step 4? > > Which "Origin" are you referring to here? > > The "Origin" header defined by the CORS spec is known to be bad and is > being worked on. So I'm not sure it's interesting to discuss what the > CORS spec says here. (At least that was the status last I looked, I'm > a bit behind on the last few rounds of emails though). > > As for the "Origin" spec that Adam Barth is working on, I'm not sure > that the last draft is published yet, but I believe that the idea is > to append the full redirect chain in the Origin header. (hence > possibly making it incompatible with the CORS "Origin" meaning that > we'll have to use another name). > > So again, we do know there is a problem with the Origin header in the > CORS spec when it comes to redirects. It's a known outstanding issue > that we believe is fixable and not a reason to abandon the whole spec. > > / Jonas > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 24 June 2009 19:53:21 UTC