W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: preflighted CORS requests and redirects: principally impossible?

From: Utkarsh Upadhyay <musically.ut@gmail.com>
Date: Fri, 22 Jan 2016 17:59:47 +0100
Message-ID: <CALh3q9zAu+opJcyNE9he-mDSV9KtoxfqWTXOxh7YN6WpSms4dg@mail.gmail.com>
To: Nico Schlömer <nico.schloemer@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, André Gaul <andre@paperhive.org>
I don't know whether my request a year ago was counted as +1, but here is
it. :)

My use-use was rather niche: a delay proxy for links on arbitrary domains.

~
ut

On Fri, Jan 22, 2016 at 4:54 PM, Nico Schlömer <nico.schloemer@gmail.com>
wrote:

> Thanks for the speedy reply!
>
> > And to be fair, we've not even had a handful of requests for it thus
> far.
>
> Count this as a +1. :)
>
> (We'll now have to make a decision for our API to be RESTful or to be
> accessible for clients that implement the fetch specification. :/)
>
> Cheers,
> Nico
>
> On Fri, Jan 22, 2016 at 4:40 PM Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Fri, Jan 22, 2016 at 4:34 PM, Nico Schlömer <nico.schloemer@gmail.com>
>> wrote:
>> > This seems to mean that one cannot do redirects for authenticated
>> resources
>> > -- even if the redirect is on the same domain (localhost). Can this
>> really
>> > be true or am I missing something?
>>
>> 1. This is true. Nobody wanted to implement the preflight scheme for
>> redirects. At least not as a first pass. And to be fair, we've not
>> even had a handful of requests for it thus far.
>> 2. You want to read https://fetch.spec.whatwg.org/ instead. It's the
>> maintained version of the standard.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>
Received on Friday, 22 January 2016 17:00:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC