W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: preflighted CORS requests and redirects: principally impossible?

From: Nico Schlömer <nico.schloemer@gmail.com>
Date: Fri, 22 Jan 2016 15:54:35 +0000
Message-ID: <CAK6Z60ddnEJiHQ4=8s35HK=91CQdSiN2fctaNCeGxWEwFC4uEA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, André Gaul <andre@paperhive.org>
Thanks for the speedy reply!

> And to be fair, we've not even had a handful of requests for it thus far.

Count this as a +1. :)

(We'll now have to make a decision for our API to be RESTful or to be
accessible for clients that implement the fetch specification. :/)

Cheers,
Nico

On Fri, Jan 22, 2016 at 4:40 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 22, 2016 at 4:34 PM, Nico Schlömer <nico.schloemer@gmail.com>
> wrote:
> > This seems to mean that one cannot do redirects for authenticated
> resources
> > -- even if the redirect is on the same domain (localhost). Can this
> really
> > be true or am I missing something?
>
> 1. This is true. Nobody wanted to implement the preflight scheme for
> redirects. At least not as a first pass. And to be fair, we've not
> even had a handful of requests for it thus far.
> 2. You want to read https://fetch.spec.whatwg.org/ instead. It's the
> maintained version of the standard.
>
>
> --
> https://annevankesteren.nl/
>
Received on Friday, 22 January 2016 15:55:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC