W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 17 Apr 2006 21:17:00 +0000 (UTC)
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604172115400.21459@dhalsim.dreamhost.com>

On Mon, 17 Apr 2006, Mark Nottingham wrote:
> AIUI, the specific vulnerability is form.submit() being used cross-site; 
> or are there other ways to do a automated POST?

I can't think of any off-hand at the moment.

> > Sure, that's why I'm proposing that non-GET requests should have the 
> > pre-flight check.
> OK; I wasn't sure if you were retracting that or not.

I think we should retract it for POST. I agree we should keep it for 
non-GET and non-POST methods.

I'll post an updated proposal that takes into account comments so far 
later today.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 17 April 2006 21:17:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT