Anne van Kesteren wrote:
On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Also, what happens for same-origin which redirects to non same-origin
which redirects to same-origin again. Do you perform an access check?
In the implementation I've written, the decision weather to check
access control headers is done by comparing the final uri with the
requesting uri. So if you're redirected back to the original server no
access-control check is done.
I'd be all ears if someone think we should do checks as soon as a
request has passed another domain at some point.
Given domain A and B I wonder if it's a problem if when a request is
done from A, B can feed information back to A (through the URL;
http://domain-a.org/?data=data) without any sort of access check being
done anywhere.
Yeah, I've been thinking about this scenario too. I think I agree with
you actually, especially given that I don't see any good usecases for
not doing the check in this scenario.
/ Jonas
