[XHR] same-origin request event rules are underspecified

Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified:

> The same-origin request event rules are as follows:
> 	If the response is an HTTP redirect
> 		If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules.

What does "does not violate security" mean?  Is a same origin redirect the only redirect that's considered to "not violate security"?

The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance).

Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 19 January 2010 07:00:27 UTC