W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

[XHR] same-origin request event rules are underspecified

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 19 Jan 2010 08:00:19 +0100
Message-Id: <A7AE3CE7-4EA4-4F8A-80E8-1C62492A8248@w3.org>
Cc: public-web-security@w3.org, Thomas Roessler <tlr@w3.org>
To: W3C WebApps WG <public-webapps@w3.org>
Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified:

> The same-origin request event rules are as follows:
> 	If the response is an HTTP redirect
> 		If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules.

What does "does not violate security" mean?  Is a same origin redirect the only redirect that's considered to "not violate security"?

The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance).

Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 19 January 2010 07:00:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:04 UTC