- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 18 Mar 2009 12:23:30 +0100
- To: "WebApps WG" <public-webapps@w3.org>
On Tue, 17 Mar 2009 21:56:52 +0100, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <annevk@opera.com> > wrote: >> * cross-origin request with preflight, actual request >> >> If we want to follow redirects here at all we can only do it for >> requests that do not require a preflight. Therefore I'm still not quite >> convinced that we should honor 303 here because the headers might still >> be dangerous and have not been checked prior to the request. I think >> doing what the specification suggests here is safest. > > Alternatively, we could change the specification so that redirects are > not followed, but that their contents (and maybe the Location header) > are exposed to application authors if the resource sharing check works > out ok. That way the details are still revealed but we do not have to > get really complicated and perform a preflight request for every > redirect that follows an actual request. Thinking about this some more I rather treat redirects as errors. I think that will work better as future extension point. It also is more consistent I think. They are either a point of error or are "transparently" followed. So that leaves deciding what to do with a 303 on a preflight request. I'm leaning towards simply making it a network error. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 18 March 2009 11:24:28 UTC