Re: [cors] Redirects

On Tue, 17 Mar 2009 21:56:52 +0100, Anne van Kesteren <annevk@opera.com>  
wrote:
> On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <annevk@opera.com>  
> wrote:
>> * cross-origin request with preflight, actual request
>>
>> If we want to follow redirects here at all we can only do it for  
>> requests that do not require a preflight. Therefore I'm still not quite  
>> convinced that we should honor 303 here because the headers might still  
>> be dangerous and have not been checked prior to the request. I think  
>> doing what the specification suggests here is safest.
>
> Alternatively, we could change the specification so that redirects are  
> not followed, but that their contents (and maybe the Location header)  
> are exposed to application authors if the resource sharing check works  
> out ok. That way the details are still revealed but we do not have to  
> get really complicated and perform a preflight request for every  
> redirect that follows an actual request.

Thinking about this some more I rather treat redirects as errors. I think  
that will work better as future extension point. It also is more  
consistent I think. They are either a point of error or are  
"transparently" followed.

So that leaves deciding what to do with a 303 on a preflight request. I'm  
leaning towards simply making it a network error.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 18 March 2009 11:24:28 UTC