On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote: > > Anne van Kesteren wrote: > > > > tlr has some doubts whether the distinction between <form> POST and > > Access Control POST is sufficient enough to give Access Control POST a > > preflight OPTIONS as it might led authors to think that they are > > protected against cross-site POST requests while in reality, if they > > don't do careful checking of the Content-Type header or require some > > kind of magic string previously obtained using a normal GET request, > > they are not. > > > > We earlier decided to let authors perform the additional check and > > require the preflight OPTIONS so I'll leave the specification as is > > unless people start changing their minds... > > The specific attack I was worried about was SOAP service providers. > These work by accepting XML data through POSTs and and can perform > potentially dangerous operations. Dangerous operations aren't specific to SOAP. Any POST-accepting resource can do them. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.comReceived on Thursday, 17 January 2008 15:46:25 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 January 2008 15:46:26 GMT