On 2/25/11 6:07 AM, "Peter Saint-Andre" <stpe...@stpeter.im> wrote:
> [old thread alert!] > > On 12/1/10 12:56 AM, Evgeniy Khramtsov wrote: >> Is it possible to redirect BOSH requests (probably, using 3xx+cookie or >> something like that)? The client should not interpret such responses as >> fatal, e.g. it should not drop the existing session. > > I see no reason why not, but it's not described in the spec. Would it > help for us to add some examples? If the redirect comes from a trusted source (e.g. over HTTPS with a verified certificate) then this can work ok, although we've decided that the BOSH see-other-uri error is easier to control through XMLHTTPRequest, particularly when doing CORS. Be careful that you don't blindly accept redirects, however, or you are trivial to man-in-the-middle attack. -- Joe Hildebrand