Re: [cors] TAG request concerning CORS & Next Step(s)

Hi Jonas,

I'm just asking what Origin header behavior will be shipped in Firefox
3.5. You've said redirects of preflighted requests aren't supported,
so I'm wondering about the non-preflighted requests.

Another question, since Firefox doesn't support redirects of
preflighted requests, what does it do when it encounters a redirect?

--Tyler

On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking<jonas@sicking.cc> wrote:
> On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<tyler.close@gmail.com> wrote:
>> On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<jonas@sicking.cc> wrote:
>>> Firefox 3.5 will be out in a matter of days (RC available already) and
>>> it supports the majority of CORS (everything but redirects of
>>> preflighted requests).
>>
>> What is the behavior of the Origin header on other kinds of redirects?
>> For example:
>>
>> 1. page from Site A does: POST text/plain to a URL at Site B
>>
>> 2. Site B responds with a redirect to a URL at Site A
>>
>> 3. User clicks through any presented redirect confirmation dialog
>>
>> 4. Browser sends the POST from step 1 to the specified URL at Site A.
>>
>> What is the value of the Origin header in step 4?
>
> Which "Origin" are you referring to here?
>
> The "Origin" header defined by the CORS spec is known to be bad and is
> being worked on.  So I'm not sure it's interesting to discuss what the
> CORS spec says here. (At least that was the status last I looked, I'm
> a bit behind on the last few rounds of emails though).
>
> As for the "Origin" spec that Adam Barth is working on, I'm not sure
> that the last draft is published yet, but I believe that the idea is
> to append the full redirect chain in the Origin header. (hence
> possibly making it incompatible with the CORS "Origin" meaning that
> we'll have to use another name).
>
> So again, we do know there is a problem with the Origin header in the
> CORS spec when it comes to redirects. It's a known outstanding issue
> that we believe is fixable and not a reason to abandon the whole spec.
>
> / Jonas
>



-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 24 June 2009 19:53:21 UTC