W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: preflighted CORS requests and redirects: principally impossible?

From: Utkarsh Upadhyay <musically.ut@gmail.com>
Date: Sun, 24 Jan 2016 10:53:59 +0100
Message-ID: <CALh3q9x_EPXV-YmCBvawL2CynLTvTBbU=skXF4d1JoByaUnNcw@mail.gmail.com>
To: Jonathan Kingston <jonathan@jooped.co.uk>
Cc: Nico Schlömer <nico.schloemer@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, André Gaul <andre@paperhive.org>
> This sounds a whole lot like traffic shaping, which would be a brilliant
argument against this.

I'm sorry, but I am not sure I completely follow. Would you care to explain
why this sort of proxying would be a bad idea? :)

~
ut


On Fri, Jan 22, 2016 at 6:41 PM, Jonathan Kingston <jonathan@jooped.co.uk>
wrote:

> > My use-use was rather niche: a delay proxy for links on arbitrary
> domains.
>
> This sounds a whole lot like traffic shaping, which would be a brilliant
> argument against this.
>
> On Fri, Jan 22, 2016 at 5:01 PM Utkarsh Upadhyay <musically.ut@gmail.com>
> wrote:
>
>> I don't know whether my request a year ago was counted as +1, but here is
>> it. :)
>>
>> My use-use was rather niche: a delay proxy for links on arbitrary domains.
>>
>> ~
>> ut
>>
>> On Fri, Jan 22, 2016 at 4:54 PM, Nico Schlömer <nico.schloemer@gmail.com>
>> wrote:
>>
>>> Thanks for the speedy reply!
>>>
>>> > And to be fair, we've not even had a handful of requests for it thus
>>> far.
>>>
>>> Count this as a +1. :)
>>>
>>> (We'll now have to make a decision for our API to be RESTful or to be
>>> accessible for clients that implement the fetch specification. :/)
>>>
>>> Cheers,
>>> Nico
>>>
>>> On Fri, Jan 22, 2016 at 4:40 PM Anne van Kesteren <annevk@annevk.nl>
>>> wrote:
>>>
>>>> On Fri, Jan 22, 2016 at 4:34 PM, Nico Schlömer <
>>>> nico.schloemer@gmail.com> wrote:
>>>> > This seems to mean that one cannot do redirects for authenticated
>>>> resources
>>>> > -- even if the redirect is on the same domain (localhost). Can this
>>>> really
>>>> > be true or am I missing something?
>>>>
>>>> 1. This is true. Nobody wanted to implement the preflight scheme for
>>>> redirects. At least not as a first pass. And to be fair, we've not
>>>> even had a handful of requests for it thus far.
>>>> 2. You want to read https://fetch.spec.whatwg.org/ instead. It's the
>>>> maintained version of the standard.
>>>>
>>>>
>>>> --
>>>> https://annevankesteren.nl/
>>>>
>>>
>>
Received on Sunday, 24 January 2016 09:54:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC