Anne van Kesteren wrote:
On Mon, 06 Aug 2007 23:39:28 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Given domain A and B I wonder if it's a problem if when a request is
done from A, B can feed information back to A (through the URL;
http://domain-a.org/?data=data) without any sort of access check
being done anywhere.
Yeah, I've been thinking about this scenario too. I think I agree with
you actually, especially given that I don't see any good usecases for
not doing the check in this scenario.
Agree? I was just wondering :-) In any case, I could easily solve this
in the specification by having a "has been non same-origin flag" which
is set to "true" the moment you make a non same-origin request or you
are redirected to a non-same origin location. Based on the value of that
flag you would then decide to do an access check. Sounds reasonable?
(Besides of course the already in place algorithms for a non-GET request
to a same-origin server which redirects to a non same-origin server.)
Yes, this sounds good.
/ Jonas
