ISSUE-32: Each redirect step needs to opt in to AC in order to avoid data leaking
Each redirect step needs to opt in to AC in order to avoid data leaking
- State:
- CLOSED
- Product:
- HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking http://tinyurl.com/Bugz-CORS]
- Raised by:
- Jonas Sicking
- Opened on:
- 2008-07-02
- Description:
- Currently data can leak from a site that does redirects, if the site that it redirects to opts in to Access-Control. For example:
http://craigslist.com redirects the user (based on a cookie) to the appropriate local craigslist site, such as sfbay.craiglist.com or austin.craiglist.com.
It is safe for both sfbay.craigslist.com or austin.craiglist.com to opt in to AC since they both serve only public data. craigslist.com redirecting to them it is leaking the users home town, which isn't very obvious. - Related Actions Items:
- No related actions
- Related emails:
- Re: [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from art.barstow@nokia.com on 2008-10-16)
- Re: [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from jonas@sicking.cc on 2008-10-09)
- [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from art.barstow@nokia.com on 2008-10-09)
- [access-control] Issue list (from annevk@opera.com on 2008-07-08)
Related notes:
Closed. See thread starting at: http://lists.w3.org/Archives/Public/public-webapps/2008OctDec/0076.html
Arthur Barstow, 21 Oct 2008, 16:11:20Display change log