- From: Anne van Kesteren <annevk@opera.com>
- Date: Sun, 16 Aug 2009 10:37:40 +0200
- To: "Aaron Boodman" <aa@google.com>, "public-webapps@w3.org Group WG" <public-webapps@w3.org>
On Sun, 16 Aug 2009 10:00:08 +0200, Aaron Boodman <aa@google.com> wrote: > I change my opinion. In the access control spec, I now see: > > 5.1 Simple Cross-Origin Request, Actual Request, and Redirects > In response to a simple cross-origin request or actual request the > resource indicates whether or not to share the response. > If the resource has been relocated, it indicates whether to share its > new URL. > > So I think in the case I asked about, the answer would be that the > redirect should not be followed and it should be a security error. > Please let me know if this interpretation is wrong. You're asking about user agent behavior and as such the answer cannot actually be found in the resource processing model section ;-) What you are looking for is described here: http://dev.w3.org/2006/waf/access-control/#redirect-steps You are right however that for a cross-origin to same-origin redirect the headers need to be included. (The redirect steps include a note to that effect in case it was not directly clear from the algorithm.) Having said all that, we have an outstanding issue with redirects that needs solving: http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1000.html I haven't really given it another thought yet, as I'm hoping a few other people will take a crack at it first. Cheers, -- Anne van Kesteren http://annevankesteren.nl/
Received on Sunday, 16 August 2009 08:38:29 UTC