Re: <form> POST versus Access Control POST from Anne van Kesteren on 2008-01-18 (public-appformats@w3.org from January 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 18 Jan 2008 12:40:42 +0100
To: "Ian Hickson" <ian@hixie.ch>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t44ip4sk64w2qv@annevk-t60.oslo.opera.com>

On Thu, 17 Jan 2008 21:42:10 +0100, Ian Hickson <ian@hixie.ch> wrote:
> On Thu, 17 Jan 2008, Mark Baker wrote:
>> On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote:
>>> The specific attack I was worried about was SOAP service providers.
>>> These work by accepting XML data through POSTs and and can perform
>>> potentially dangerous operations.
>>
>> Dangerous operations aren't specific to SOAP.  Any POST-accepting
>> resource can do them.
>
> In practice, servers can be separated into two groups: those that check
> the submission MIME type, and those that just assume one.
>
> [...]

This is now covered by the FAQ under "Why is POST not treated identically  
to GET?".


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 18 January 2008 11:52:05 UTC