- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 24 Jun 2009 20:09:59 -0700
- To: Bil Corry <bil@corry.biz>
- Cc: Jonas Sicking <jonas@sicking.cc>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
On Wed, Jun 24, 2009 at 5:42 PM, Bil Corry<bil@corry.biz> wrote: > Adam Barth wrote on 6/24/2009 6:16 PM: >> I've uploaded the latest draft just now: >> >> http://www.ietf.org/internet-drafts/draft-abarth-origin-01.txt >> >> The draft now uses a different header name to avoid conflicting with >> CORS and behaves as Jonas describes. > > Why is the spec providing a choice for how to handle redirects? It's always secure to send null in the header. In some cases, you might have a really long redirect chain and the UA might want to bound the header to some length. > Or is it saying that if #2 doesn't apply, then #1? It says precisely what it says. The UA MUST either do (1) or (2). Sometimes it can't do (2). In those cases it MUST do (1). Sometimes the UA might be able to do (2) but choose to do (1) anyway. Adam
Received on Thursday, 25 June 2009 03:10:59 UTC