- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Mon, 17 Apr 2006 11:41:14 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapi@w3.org
On 2006/04/14, at 2:10 PM, Ian Hickson wrote: >> >> BTW, would you consider these URIs to have different policies? >> >> http://www.example.com/search?a=b >> http://www.example.com/search?c=d > > Yes. But if you're doing a POST, why not include the variables in the > entity body? I was just wondering if each would have a separate policy, independent of the method. As to the variables, there's a difference between query args and body content (despite how must CGI tools treat it); the query args form a part of the identity of the resource, the body doesn't (but that's neither here nor there for the purposes of this discussion). >>>> As stated before, I'm not sure the existence of one hole justifies >>>> the intentional opening of other holes. >>> >>> It's not "one hole". Most of the Web works this way, always has. >> >> I was referring to the ability to do a POST; obviously GET is >> possible >> through a variety of methods, but that's OK, because it's safe. > > In that case I'm confused; you can't do a POST with a <script> > element. > Did you mean <form>? Sorry, script + form for a non-user-initiated POST. AIUI, the specific vulnerability is form.submit() being used cross- site; or are there other ways to do a automated POST? >> It's true that it's possible to muck around with script tags and HTML >> forms to send an arbitrary POST without interaction (the "one hole"), >> but the existence of one accidental attack vector isn't justification >> for intentionally creating (and standardising) another bigger one >> (not >> just POST, but other methods as well). > > Sure, that's why I'm proposing that non-GET requests should have the > pre-flight check. OK; I wasn't sure if you were retracting that or not. It sounds like the question is just how to do the pre-flight check. I'm not necessarily against yours (it has some nice properties), but I'm not sure it's the best way forward. Thanks, -- Mark Nottingham mnot@yahoo-inc.com
Received on Monday, 17 April 2006 18:42:45 UTC