- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 17 Mar 2009 21:50:21 +0100
- To: "WebApps WG" <public-webapps@w3.org>
I took another look at redirects today. * simple cross-origin request For this case redirects can simply be followed. Some redirects will cause the request method to be changed from HEAD, GET, or POST to GET. Per HTTP that would be 303. Per implementations that would be 301, 302, and 303. (Some implementations also change to GET for 307, some show some a warning/dialog.) * cross-origin request with preflight, preflight request Since OPTIONS is safe it should just go through redirects apart from 303. We could special case 303 as Jonas suggested and not treat it as a redirect. * cross-origin request with preflight, actual request If we want to follow redirects here at all we can only do it for requests that do not require a preflight. Therefore I'm still not quite convinced that we should honor 303 here because the headers might still be dangerous and have not been checked prior to the request. I think doing what the specification suggests here is safest. Overall, I still think that the only change we possibly want to make is for preflight requests. I'd appreciate feedback! -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 17 March 2009 20:51:15 UTC