- From: Mark Baker <distobj@acm.org>
- Date: Thu, 17 Jan 2008 10:46:16 -0500
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Anne van Kesteren" <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote: > > Anne van Kesteren wrote: > > > > tlr has some doubts whether the distinction between <form> POST and > > Access Control POST is sufficient enough to give Access Control POST a > > preflight OPTIONS as it might led authors to think that they are > > protected against cross-site POST requests while in reality, if they > > don't do careful checking of the Content-Type header or require some > > kind of magic string previously obtained using a normal GET request, > > they are not. > > > > We earlier decided to let authors perform the additional check and > > require the preflight OPTIONS so I'll leave the specification as is > > unless people start changing their minds... > > The specific attack I was worried about was SOAP service providers. > These work by accepting XML data through POSTs and and can perform > potentially dangerous operations. Dangerous operations aren't specific to SOAP. Any POST-accepting resource can do them. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Thursday, 17 January 2008 15:46:25 UTC