Skip to content

Commit

Permalink
define source origin for redirects rather than deferring to the Origi…
Browse files Browse the repository at this point in the history 
…n RFC; fixes https://www.w3.org/2011/webappsec/track/actions/46
  • Loading branch information
@annevk
annevk committed Feb 14, 2012
1 parent 39796f7 commit 713ddad
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 36 deletions.
33 changes: 15 additions & 18 deletions Overview.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1116,11 +1116,10 @@ <h4 id="cross-origin-request-status-0"><span class="secno">7.1.2 </span>Cross-Or

<h4 id="source-origin-0"><span class="secno">7.1.3 </span>Source Origin</h4>

<p>The <a href="#source-origin">source origin</a> is the initial origin that user agents
must use for the
<code title="http-origin"><a href="#http-origin">Origin</a></code> header. In case of redirects the
user agents must follow the requirements set forth in
the specification for that header.</p>
<p>The <a href="#source-origin">source origin</a> is the initial
<a class="external" href="http://tools.ietf.org/html/rfc6454#section-4">origin</a> that user agents must use for
the <code title="http-origin"><a href="#http-origin">Origin</a></code> header. It can be modified
during the <a href="#redirect-steps">redirect steps</a>.</p>


<h4 id="simple-cross-origin-request-0"><span class="secno">7.1.4 </span>Simple Cross-Origin Request</h4>
Expand Down Expand Up @@ -1539,6 +1538,8 @@ <h4 id="generic-cross-origin-request-algorithms"><span class="secno">7.1.7 </spa
follow this set of steps:</p>

<ol>
<li><p>Let <var>original URL</var> be the <a href="#request-url">request URL</a>.

<li><p>Let <a href="#request-url">request URL</a> be the
<a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#url">URL</a> conveyed by
the <code>Location</code> header in the redirect response.</li>
Expand All @@ -1547,31 +1548,27 @@ <h4 id="generic-cross-origin-request-algorithms"><span class="secno">7.1.7 </spa
<li><p>If the <a href="#request-url">request URL</a> &lt;scheme&gt; is not supported,
infinite loop precautions are violated, or the user agent does not wish
to make the new request for some other reason, apply the
<a href="#network-error-steps">network error steps</a> and terminate this set of
steps.</li>
<a href="#network-error-steps">network error steps</a>.

<li><p>If the <a href="#request-url">request URL</a> contains the
<code class="external"><a href="http://tools.ietf.org/html/rfc2616/#section-3.2.1">userinfo</a></code> production apply the
<a href="#network-error-steps">network error steps</a>.</li>

<li><p>If the <a href="#resource-sharing-check">resource sharing check</a> for the current resource
returns fail, apply the <a href="#network-error-steps">network error steps</a>.</li>
<li><p>If the <a href="#resource-sharing-check">resource sharing check</a> for the current
resource returns fail, apply the <a href="#network-error-steps">network error steps</a>.
<!--This prevents intranet data leakage.-->

<li><p>If the <a href="#request-url">request URL</a>
<a class="external" href="http://tools.ietf.org/html/rfc6454#section-4">origin</a> is not
<a class="external" href="http://tools.ietf.org/html/rfc6454#section-5">same origin</a> with the
<var>original URL</var> <a class="external" href="http://tools.ietf.org/html/rfc6454#section-4">origin</a>, set
<a href="#source-origin">source origin</a> to a globally unique identifier.

<li><p>Otherwise, transparently follow the redirect while observing the
set of <i>request rules</i>.</li>
<!-- XXX or should this use the make a request steps? -->
</ol>

<p class="note">A redirect to a URL that is
<a class="external" href="http://tools.ietf.org/html/rfc6454#section-5">same origin</a> with the
<a href="#source-origin">source origin</a> is handled identically to any other
URL.</p>

<p class="note">A redirect to a URL that is <a href="#cross-origin">cross-origin</a> has
consequences for the value of the <code title="http-origin"><a href="#http-origin">Origin</a></code>
header as detailed by its specification.</p>

<hr>

<p>Whenever the <dfn id="abort-steps">abort steps</dfn> are applied,
Expand Down
33 changes: 15 additions & 18 deletions Overview.src.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1134,11 +1134,10 @@ <h4>Cross-Origin Request Status</h4>

<h4>Source Origin</h4>

<p>The <span>source origin</span> is the initial origin that user agents
must use for the
<code title="http-origin">Origin</code> header. In case of redirects the
user agents must follow the requirements set forth in
the specification for that header.</p>
<p>The <span>source origin</span> is the initial
<span data-anolis-spec=origin>origin</span> that user agents must use for
the <code title="http-origin">Origin</code> header. It can be modified
during the <span>redirect steps</span>.</p>


<h4>Simple Cross-Origin Request</h4>
Expand Down Expand Up @@ -1557,6 +1556,8 @@ <h4>Generic Cross-Origin Request Algorithms</h4>
follow this set of steps:</p>

<ol>
<li><p>Let <var>original URL</var> be the <span>request URL</span>.

<li><p>Let <span>request URL</span> be the
<span data-anolis-spec=html>URL</span> conveyed by
the <code>Location</code> header in the redirect response.</p></li>
Expand All @@ -1565,31 +1566,27 @@ <h4>Generic Cross-Origin Request Algorithms</h4>
<li><p>If the <span>request URL</span> &lt;scheme> is not supported,
infinite loop precautions are violated, or the user agent does not wish
to make the new request for some other reason, apply the
<span>network error steps</span> and terminate this set of
steps.</p></li>
<span>network error steps</span>.

<li><p>If the <span>request URL</span> contains the
<code data-anolis-spec=uri>userinfo</code> production apply the
<span>network error steps</span>.</p></li>

<li><p>If the <span>resource sharing check</span> for the current resource
returns fail, apply the <span>network error steps</span>.</p></li>
<li><p>If the <span>resource sharing check</span> for the current
resource returns fail, apply the <span>network error steps</span>.
<!--This prevents intranet data leakage.-->

<li><p>If the <span>request URL</span>
<span data-anolis-spec=origin>origin</span> is not
<span data-anolis-spec=origin>same origin</span> with the
<var>original URL</var> <span data-anolis-spec=origin>origin</span>, set
<span>source origin</span> to a globally unique identifier.

<li><p>Otherwise, transparently follow the redirect while observing the
set of <i>request rules</i>.</p></li>
<!-- XXX or should this use the make a request steps? -->
</ol>

<p class=note>A redirect to a URL that is
<span data-anolis-spec=origin>same origin</span> with the
<span>source origin</span> is handled identically to any other
URL.</p>

<p class=note>A redirect to a URL that is <span>cross-origin</span> has
consequences for the value of the <code title="http-origin">Origin</code>
header as detailed by its specification.</p>

<hr>

<p>Whenever the <dfn id="abort-steps">abort steps</dfn> are applied,
Expand Down

0 comments on commit 713ddad

Please sign in to comment.