Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified: http://www.w3.org/TR/XMLHttpRequest/#same-origin-request-event-rules > The same-origin request event rules are as follows: > > If the response is an HTTP redirect > > If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules. What does "does not violate security" mean? Is a same origin redirect the only redirect that's considered to "not violate security"? The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance). Regards, -- Thomas Roessler, W3C <tlr@w3.org>Received on Tuesday, 19 January 2010 07:00:27 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:04 UTC