Hi Jonas, I'm just asking what Origin header behavior will be shipped in Firefox 3.5. You've said redirects of preflighted requests aren't supported, so I'm wondering about the non-preflighted requests.
Another question, since Firefox doesn't support redirects of preflighted requests, what does it do when it encounters a redirect? --Tyler On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking<[email protected]> wrote: > On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close<[email protected]> wrote: >> On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking<[email protected]> wrote: >>> Firefox 3.5 will be out in a matter of days (RC available already) and >>> it supports the majority of CORS (everything but redirects of >>> preflighted requests). >> >> What is the behavior of the Origin header on other kinds of redirects? >> For example: >> >> 1. page from Site A does: POST text/plain to a URL at Site B >> >> 2. Site B responds with a redirect to a URL at Site A >> >> 3. User clicks through any presented redirect confirmation dialog >> >> 4. Browser sends the POST from step 1 to the specified URL at Site A. >> >> What is the value of the Origin header in step 4? > > Which "Origin" are you referring to here? > > The "Origin" header defined by the CORS spec is known to be bad and is > being worked on. So I'm not sure it's interesting to discuss what the > CORS spec says here. (At least that was the status last I looked, I'm > a bit behind on the last few rounds of emails though). > > As for the "Origin" spec that Adam Barth is working on, I'm not sure > that the last draft is published yet, but I believe that the idea is > to append the full redirect chain in the Origin header. (hence > possibly making it incompatible with the CORS "Origin" meaning that > we'll have to use another name). > > So again, we do know there is a problem with the Origin header in the > CORS spec when it comes to redirects. It's a known outstanding issue > that we believe is fixable and not a reason to abandon the whole spec. > > / Jonas > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
