From: Jorge on
Hi,

Let's say a page does an XHR to theSameDomain, and the response is a
redirect to a another resource in another domain. Is that legal ? Will
such an XHR succeed ?

TIA,
--
Jorge.
From: Richard Cornford on
On Feb 26, 11:37 am, Jorge wrote:
> Let's say a page does an XHR to theSameDomain, and the response
> is a redirect to a another resource in another domain. Is that
> legal ?

Any normal HTTP exchange is 'legal'. (Some may still not be supported
(such as some operations))

> Will such an XHR succeed ?

Succeed is too subjective. If you make an XML HTTP request and the
status of the response is one of the redirection statuses with a new
URL location then that is success in one sense (and the client-side
code can observe the status and the alternative URL and make some
decision about how it is going to act).

I suspect that you mean; will the XML HTTP request system
automatically act on the redirection and return the response from that
alternative source. To which the answer is that mostly they will.
There were Opera versions that did not, but they had to change that as
web developers mostly cannot cope with HTTP and so were declaring
Opera broken when it only did what they asked for instead of what they
expected.

Richard.
From: Jorge on
On Feb 26, 12:55 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk>
wrote:
> On Feb 26, 11:37 am, Jorge wrote:
>
> > Let's say a page does an XHR to theSameDomain, and the response
> > is a redirect to a another resource in another domain. Is that
> > legal ?
>
> Any normal HTTP exchange is 'legal'. (Some may still not be supported
> (such as some operations))
>
> > Will such an XHR succeed ?
>
> Succeed is too subjective. If you make an XML HTTP request and the
> status of the response is one of the redirection statuses with a new
> URL location then that is success in one sense (and the client-side
> code can observe the status and the alternative URL and make some
> decision about how it is going to act).
>
> I suspect that you mean; will the XML HTTP request system
> automatically act on the redirection and return the response from that
> alternative source. To which the answer is that mostly they will.
> There were Opera versions that did not, but they had to change that as
> web developers mostly cannot cope with HTTP and so were declaring
> Opera broken when it only did what they asked for instead of what they
> expected.

Ok. Thanks, Richard. One more question would be, isn't that a blatant
violation of the SOP ? What happens if the redirect is to bank.com/
operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would
bank.com cookies be sent along in the 2nd -redirected- request ?
--
Jorge.
From: Richard Cornford on
On Feb 26, 1:35 pm, Jorge wrote:
> On Feb 26, 12:55 pm, Richard Cornford wrote:
>> On Feb 26, 11:37 am, Jorge wrote:
>
>>> Let's say a page does an XHR to theSameDomain, and the response
>>> is a redirect to a another resource in another domain. Is that
>>> legal ?
>
>> Any normal HTTP exchange is 'legal'. (Some may still not be
>> supported (such as some operations))
>
>> > Will such an XHR succeed ?
>
>> Succeed is too subjective. If you make an XML HTTP request
>> and the status of the response is one of the redirection
>> statuses with a new URL location then that is success in
>> one sense (and the client-side code can observe the status
>> and the alternative URL and make some decision about how
>> it is going to act).
>
>> I suspect that you mean; will the XML HTTP request system
>> automatically act on the redirection and return the response
>> from that alternative source. To which the answer is that
>> mostly they will. There were Opera versions that did not,
>> but they had to change that as web developers mostly cannot
>> cope with HTTP and so were declaring Opera broken when it
>> only did what they asked for instead of what they expected.
>
> Ok. Thanks, Richard. One more question would be, isn't that
> a blatant violation of the SOP ?

I haven't ever tired re-directing across domains. It is asking for
trouble. I would expect an XML HTTP request object to deny access to
any response from a different domain.

> What happens if the redirect is to bank.com/
> operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would
> bank.com cookies be sent along in the 2nd -redirected- request ?

Cookies should follow the rules for cookies. Which cookies go with
which requests depends on their (actual or implied) Path and Domain
parameters.

However, it would be reckless to be sending instructions to be acted
upon (especially in a financial context) in a cookie.

Richard.
From: Jorge on
On Feb 26, 3:56 pm, Richard Cornford <Rich...(a)litotes.demon.co.uk>
wrote:
> On Feb 26, 1:35 pm, Jorge wrote:
>
>
>
>
>
> > On Feb 26, 12:55 pm, Richard Cornford  wrote:
> >> On Feb 26, 11:37 am, Jorge wrote:
>
> >>> Let's say a page does an XHR to theSameDomain, and the response
> >>> is a redirect to a another resource in another domain. Is that
> >>> legal ?
>
> >> Any normal HTTP exchange is 'legal'. (Some may still not be
> >> supported (such as some operations))
>
> >> > Will such an XHR succeed ?
>
> >> Succeed is too subjective. If you make an XML HTTP request
> >> and the status of the response is one of the redirection
> >> statuses with a new URL location then that is success in
> >> one sense (and the client-side code can observe the status
> >> and the alternative URL and make some decision about how
> >> it is going to act).
>
> >> I suspect that you mean; will the XML HTTP request system
> >> automatically act on the redirection and return the response
> >> from that alternative source. To which the answer is that
> >> mostly they will. There were Opera versions that did not,
> >> but they had to change that as web developers mostly cannot
> >> cope with HTTP and so were declaring Opera broken when it
> >> only did what they asked for instead of what they expected.
>
> > Ok. Thanks, Richard. One more question would be, isn't that
> > a blatant violation of the SOP ?
>
> I haven't ever tired re-directing across domains. It is asking for
> trouble. I would expect an XML HTTP request object to deny access to
> any response from a different domain.

Denying access to the response might be a good thing, yes, but, by
then it might be too late already. I think that the 2nd request -to
the redirected domain/resource- should -probably- be discarded -never
made- by the XHR object... ¿? Or maybe not, that's why I'm asking.

> > What happens if the redirect is to bank.com/
> > operate/transferNow?amount=10000&destAccount=myAcctNumber ? Would
> > bank.com cookies be sent along in the 2nd -redirected- request ?
>
> Cookies should follow the rules for cookies. Which cookies go with
> which requests depends on their (actual or implied) Path and Domain
> parameters.

But you know that there are circumstances under which existing cookies
are *not* sent.

> However, it would be reckless to be sending instructions to be acted
> upon (especially in a financial context) in a cookie.

I was thinking about session ID cookies.
--
Jorge.