- From: Aaron Boodman <aa@google.com>
- Date: Sun, 16 Aug 2009 01:00:08 -0700
- To: "public-webapps@w3.org Group WG" <public-webapps@w3.org>
I change my opinion. In the access control spec, I now see: 5.1 Simple Cross-Origin Request, Actual Request, and Redirects In response to a simple cross-origin request or actual request the resource indicates whether or not to share the response. If the resource has been relocated, it indicates whether to share its new URL. So I think in the case I asked about, the answer would be that the redirect should not be followed and it should be a security error. Please let me know if this interpretation is wrong. - a On Sat, Aug 15, 2009 at 3:40 PM, Aaron Boodman<aa@google.com> wrote: > What is supposed to happen in a UA that supports XMLHttpRequest Level > 2 when a cross-origin request redirects to a same-origin resource and > no access control headers are sent by either the client or server? > > It seems like the spec says this is supposed to succeed, but it isn't > super clear to me. If it is supposed to succeed, isn't there a worry > that the redirect itself (or lack thereof) could be an information > leak? > > - a >
Received on Sunday, 16 August 2009 08:00:49 UTC