Re: [cors] Redirects

On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <>  
> * cross-origin request with preflight, actual request
> If we want to follow redirects here at all we can only do it for  
> requests that do not require a preflight. Therefore I'm still not quite  
> convinced that we should honor 303 here because the headers might still  
> be dangerous and have not been checked prior to the request. I think  
> doing what the specification suggests here is safest.

Alternatively, we could change the specification so that redirects are not  
followed, but that their contents (and maybe the Location header) are  
exposed to application authors if the resource sharing check works out ok.  
That way the details are still revealed but we do not have to get really  
complicated and perform a preflight request for every redirect that  
follows an actual request.

Anne van Kesteren

Received on Tuesday, 17 March 2009 20:57:38 UTC