W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: preflighted CORS requests and redirects: principally impossible?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 22 Jan 2016 16:40:26 +0100
Message-ID: <CADnb78gDE3aq_tTui8gdbhkB9LJbjSxN2Rqcu2jY7Z3GRmMWNQ@mail.gmail.com>
To: Nico Schlömer <nico.schloemer@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, André Gaul <andre@paperhive.org>
On Fri, Jan 22, 2016 at 4:34 PM, Nico Schlömer <nico.schloemer@gmail.com> wrote:
> This seems to mean that one cannot do redirects for authenticated resources
> -- even if the redirect is on the same domain (localhost). Can this really
> be true or am I missing something?

1. This is true. Nobody wanted to implement the preflight scheme for
redirects. At least not as a first pass. And to be fair, we've not
even had a handful of requests for it thus far.
2. You want to read https://fetch.spec.whatwg.org/ instead. It's the
maintained version of the standard.

Received on Friday, 22 January 2016 15:40:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC