W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 03 Dec 2009 19:04:35 +0100
Message-ID: <4B17FDB3.4070505@gmx.de>
To: Tyler Close <tyler.close@gmail.com>
CC: Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
Tyler Close wrote:
> ...
> For GET and POST requests that can be sent by the HTML form element,
> following the redirect is allowed by SOP. For more detail on the
> redirects allowed by SOP, see:
> 
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html
> 
> So, foo.example.com may be allowed to redirect a POST to
> bar.example.com, or any other origin.
> 
> The SOP networking restrictions on requests only come into play for
> methods other than GET and POST, or for POST requests that have
> certain headers. Thats why I've been using PUT in this discussion.
> ...

Which of course begs the question why PUT is considered more dangerous 
than POST...

BR, Julian
Received on Thursday, 3 December 2009 18:05:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT