[Standards] Redirects in BOSH

Joe Hildebrand joe.hildebrand at webex.com
Fri Feb 25 15:14:13 UTC 2011

On 2/25/11 6:07 AM, "Peter Saint-Andre" <stpeter at stpeter.im> wrote:

> [old thread alert!]
> On 12/1/10 12:56 AM, Evgeniy Khramtsov wrote:
>> Is it possible to redirect BOSH requests (probably, using 3xx+cookie or
>> something like that)? The client should not interpret such responses as
>> fatal, e.g. it should not drop the existing session.
> I see no reason why not, but it's not described in the spec. Would it
> help for us to add some examples?

If the redirect comes from a trusted source (e.g. over HTTPS with a verified
certificate) then this can work ok, although we've decided that the BOSH
see-other-uri error is easier to control through XMLHTTPRequest,
particularly when doing CORS.

Be careful that you don't blindly accept redirects, however, or you are
trivial to man-in-the-middle attack.

Joe Hildebrand

More information about the Standards mailing list