W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Dec 2009 10:07:53 -0800
Message-ID: <7789133a0912031007j44a3ad74w866328a43f70af03@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 10:04 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Tyler Close wrote:
>>
>> ...
>> For GET and POST requests that can be sent by the HTML form element,
>> following the redirect is allowed by SOP. For more detail on the
>> redirects allowed by SOP, see:
>>
>>
>> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html
>>
>> So, foo.example.com may be allowed to redirect a POST to
>> bar.example.com, or any other origin.
>>
>> The SOP networking restrictions on requests only come into play for
>> methods other than GET and POST, or for POST requests that have
>> certain headers. Thats why I've been using PUT in this discussion.
>> ...
>
> Which of course begs the question why PUT is considered more dangerous than
> POST...

PUT is more dangerous than POST only because, historically, browsers
have allowed cross-origin POST but not PUT.  That means servers had to
tollerate cross-origin POST without exploding, but they did not need
to tolerate cross-origin PUT.  Therefore, there exist servers that
explode on a cross-origin PUT.

Ada
Received on Thursday, 3 December 2009 18:08:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT