ISSUE-32: Each redirect step needs to opt in to AC in order to avoid data leaking

Each redirect step needs to opt in to AC in order to avoid data leaking

State:
CLOSED
Product:
HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking http://tinyurl.com/Bugz-CORS]
Raised by:
Jonas Sicking
Opened on:
2008-07-02
Description:
Currently data can leak from a site that does redirects, if the site that it redirects to opts in to Access-Control. For example:

http://craigslist.com redirects the user (based on a cookie) to the appropriate local craigslist site, such as sfbay.craiglist.com or austin.craiglist.com.

It is safe for both sfbay.craigslist.com or austin.craiglist.com to opt in to AC since they both serve only public data. craigslist.com redirecting to them it is leaking the users home town, which isn't very obvious.
Related Actions Items:
No related actions
Related emails:
  1. Re: [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from art.barstow@nokia.com on 2008-10-16)
  2. Re: [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from jonas@sicking.cc on 2008-10-09)
  3. [access-control] Seeking Clarification and Status of Issues #25, #26, #29, #30, #31 and #32 (from art.barstow@nokia.com on 2008-10-09)
  4. [access-control] Issue list (from annevk@opera.com on 2008-07-08)

Related notes:

Closed. See thread starting at: http://lists.w3.org/Archives/Public/public-webapps/2008OctDec/0076.html

Arthur Barstow, 21 Oct 2008, 16:11:20

Display change log ATOM feed


Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 32.html,v 1.1 2016/01/25 10:26:20 carine Exp $