From: Jorge on 26 Feb 2010 06:37 Hi, Let's say a page does an XHR to theSameDomain, and the response is a redirect to a another resource in another domain. Is that legal ? Will such an XHR succeed ? TIA, -- Jorge.
From: Richard Cornford on 26 Feb 2010 06:55 On Feb 26, 11:37 am, Jorge wrote: > Let's say a page does an XHR to theSameDomain, and the response > is a redirect to a another resource in another domain. Is that > legal ? Any normal HTTP exchange is 'legal'. (Some may still not be supported (such as some operations)) > Will such an XHR succeed ? Succeed is too subjective. If you make an XML HTTP request and the status of the response is one of the redirection statuses with a new URL location then that is success in one sense (and the client-side code can observe the status and the alternative URL and make some decision about how it is going to act). I suspect that you mean; will the XML HTTP request system automatically act on the redirection and return the response from that alternative source. To which the answer is that mostly they will. There were Opera versions that did not, but they had to change that as web developers mostly cannot cope with HTTP and so were declaring Opera broken when it only did what they asked for instead of what they expected. Richard.
From: Jorge on 26 Feb 2010 08:35 On Feb 26, 12:55 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk> wrote: > On Feb 26, 11:37 am, Jorge wrote: > > > Let's say a page does an XHR to theSameDomain, and the response > > is a redirect to a another resource in another domain. Is that > > legal ? > > Any normal HTTP exchange is 'legal'. (Some may still not be supported > (such as some operations)) > > > Will such an XHR succeed ? > > Succeed is too subjective. If you make an XML HTTP request and the > status of the response is one of the redirection statuses with a new > URL location then that is success in one sense (and the client-side > code can observe the status and the alternative URL and make some > decision about how it is going to act). > > I suspect that you mean; will the XML HTTP request system > automatically act on the redirection and return the response from that > alternative source. To which the answer is that mostly they will. > There were Opera versions that did not, but they had to change that as > web developers mostly cannot cope with HTTP and so were declaring > Opera broken when it only did what they asked for instead of what they > expected. Ok. Thanks, Richard. One more question would be, isn't that a blatant violation of the SOP ? What happens if the redirect is to bank.com/ operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would bank.com cookies be sent along in the 2nd -redirected- request ? -- Jorge.
From: Richard Cornford on 26 Feb 2010 09:56 On Feb 26, 1:35 pm, Jorge wrote: > On Feb 26, 12:55 pm, Richard Cornford wrote: >> On Feb 26, 11:37 am, Jorge wrote: > >>> Let's say a page does an XHR to theSameDomain, and the response >>> is a redirect to a another resource in another domain. Is that >>> legal ? > >> Any normal HTTP exchange is 'legal'. (Some may still not be >> supported (such as some operations)) > >> > Will such an XHR succeed ? > >> Succeed is too subjective. If you make an XML HTTP request >> and the status of the response is one of the redirection >> statuses with a new URL location then that is success in >> one sense (and the client-side code can observe the status >> and the alternative URL and make some decision about how >> it is going to act). > >> I suspect that you mean; will the XML HTTP request system >> automatically act on the redirection and return the response >> from that alternative source. To which the answer is that >> mostly they will. There were Opera versions that did not, >> but they had to change that as web developers mostly cannot >> cope with HTTP and so were declaring Opera broken when it >> only did what they asked for instead of what they expected. > > Ok. Thanks, Richard. One more question would be, isn't that > a blatant violation of the SOP ? I haven't ever tired re-directing across domains. It is asking for trouble. I would expect an XML HTTP request object to deny access to any response from a different domain. > What happens if the redirect is to bank.com/ > operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would > bank.com cookies be sent along in the 2nd -redirected- request ? Cookies should follow the rules for cookies. Which cookies go with which requests depends on their (actual or implied) Path and Domain parameters. However, it would be reckless to be sending instructions to be acted upon (especially in a financial context) in a cookie. Richard.
From: Jorge on 26 Feb 2010 10:24 On Feb 26, 3:56 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk> wrote: > On Feb 26, 1:35 pm, Jorge wrote: > > > > > > > On Feb 26, 12:55 pm, Richard Cornford wrote: > >> On Feb 26, 11:37 am, Jorge wrote: > > >>> Let's say a page does an XHR to theSameDomain, and the response > >>> is a redirect to a another resource in another domain. Is that > >>> legal ? > > >> Any normal HTTP exchange is 'legal'. (Some may still not be > >> supported (such as some operations)) > > >> > Will such an XHR succeed ? > > >> Succeed is too subjective. If you make an XML HTTP request > >> and the status of the response is one of the redirection > >> statuses with a new URL location then that is success in > >> one sense (and the client-side code can observe the status > >> and the alternative URL and make some decision about how > >> it is going to act). > > >> I suspect that you mean; will the XML HTTP request system > >> automatically act on the redirection and return the response > >> from that alternative source. To which the answer is that > >> mostly they will. There were Opera versions that did not, > >> but they had to change that as web developers mostly cannot > >> cope with HTTP and so were declaring Opera broken when it > >> only did what they asked for instead of what they expected. > > > Ok. Thanks, Richard. One more question would be, isn't that > > a blatant violation of the SOP ? > > I haven't ever tired re-directing across domains. It is asking for > trouble. I would expect an XML HTTP request object to deny access to > any response from a different domain. Denying access to the response might be a good thing, yes, but, by then it might be too late already. I think that the 2nd request -to the redirected domain/resource- should -probably- be discarded -never made- by the XHR object... ¿? Or maybe not, that's why I'm asking. > > What happens if the redirect is to bank.com/ > > operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would > > bank.com cookies be sent along in the 2nd -redirected- request ? > > Cookies should follow the rules for cookies. Which cookies go with > which requests depends on their (actual or implied) Path and Domain > parameters. But you know that there are circumstances under which existing cookies are *not* sent. > However, it would be reckless to be sending instructions to be acted > upon (especially in a financial context) in a cookie. I was thinking about session ID cookies. -- Jorge.
|
Next
|
Last
Pages: 1 2 3 4 5 6 Prev: Newbie info Next: 939764 Constantly updated Free COmputer and business portal 50 |