On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren <ann...@opera.com>
wrote:
* cross-origin request with preflight, actual request
If we want to follow redirects here at all we can only do it for
requests that do not require a preflight. Therefore I'm still not quite
convinced that we should honor 303 here because the headers might still
be dangerous and have not been checked prior to the request. I think
doing what the specification suggests here is safest.
Alternatively, we could change the specification so that redirects are not
followed, but that their contents (and maybe the Location header) are
exposed to application authors if the resource sharing check works out ok.
That way the details are still revealed but we do not have to get really
complicated and perform a preflight request for every redirect that
follows an actual request.
--
Anne van Kesteren
http://annevankesteren.nl/
