On Wed, 01 Aug 2007 01:01:55 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Also, what happens for same-origin which redirects to non same-origin
which redirects to same-origin again. Do you perform an access check?
In the implementation I've written, the decision weather to check access
control headers is done by comparing the final uri with the requesting
uri. So if you're redirected back to the original server no
access-control check is done.
I'd be all ears if someone think we should do checks as soon as a
request has passed another domain at some point.
Given domain A and B I wonder if it's a problem if when a request is done
from A, B can feed information back to A (through the URL;
http://domain-a.org/?data=data) without any sort of access check being
done anywhere.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
