Anne van Kesteren wrote:
On Mon, 04 Feb 2008 10:27:03 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
If I do a POST using AC to a http://example.com/form.cgi and the
initial OPTIONS request forwards to http://example.org/pub/form.cgi,
does that mean that the POST goes directly to the second URI?
Yes, you proposed this (although I pointed out later that this was
already in the draft, though unclear):
http://lists.w3.org/Archives/Public/public-webapi/2007Jul/0042.html
Ugh, what a silly idea ;)
I'm honestly not sure what the right thing to do here is. My gut feeling
is that the POST should go to the original URI and then any redirects
would need to follow the exact same path as the original OPTIONS redirects.
This way the only difference between the cross-site POST and a same-site
POST will be the initial OPTIONS requests.
That seems like a bad idea to me since it makes cross-site requests
behave very different from same-site requests, rather than just
differing in authorization.
I don't see what the issue is. They already behave very differently as
they require a preflight OPTIONS request. Comments like these do worry
me a bit about the state of your implementation though. :-(
I decided not to implement redirects for non-GET methods at all in the
initial implementation. It might be the state we will ship in since I
think redirects is an edge case and the lack of support for redirect
won't hinder adoption of the rest of the spec.
/ Jonas
