Reviewing the XMLHttpRequest specification, the same origin request event rules are underspecified: http://www.w3.org/TR/XMLHttpRequest/#same-origin-request-event-rules
> The same-origin request event rules are as follows: > > If the response is an HTTP redirect > > If the redirect does not violate security (it is same origin > for instance), infinite loop precautions, and the scheme is supported, > transparently follow the redirect while observing the same-origin request > event rules. What does "does not violate security" mean? Is a same origin redirect the only redirect that's considered to "not violate security"? The specification neither gives a security policy for redirects, nor does it spell out this behavior as implementation-defined (in which case one would expect security considerations that could give implementers guidance). Regards, -- Thomas Roessler, W3C <[email protected]>
