W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[AC] Preflight-less POST

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 19:10:00 -0700
Message-ID: <48756F78.5020208@sicking.cc>
To: Webapps WG <public-webapps@w3.org>

Hi All,

During the F2F we talked about doing preflight-less POSTs in order to be 
compatible with microsofts security model and allow them follow the AC 
spec for their feature set.

Unfortunately when I brought this up at mozilla there was concern about 
doing cross-site POSTing with content types other than what <form>s 
already allow. The concern was that it could make servers exploitable, 
which weren't today.

So I see a few ways forward:

1. Build more confidence about that this would not in fact break servers.

I'm working on this method. I've contacted Adobe since I think flash 
currently allow cross-site POSTing with arbitrary Content-Types. I've 
also contacted Microsoft to see if they have gotten any feedback on IE8 
Beta 1 where XDR allow arbitrary content types to see if they have 
gotten any feedback there. Silverlight also support this feature.

I'd also like to make a general shout-out here to see how people feel 
about this, or if they know of any other protocols that send arbitrary 
Content-Types with cross-site POSTs that we could use to gather data 
about if this makes sites exploitable.

If anyone has pointers to any research that has been done on flash in 
general, or its cross-site posting mechanism in particular would be 
great, even if it doesn't mention this specific issue.


2. Don't require pre-flight for POSTs 'text/plain', but require it 
otherwise.

The downside of this solution is that it encourages people to use 
'text/plain' as Content-Type for everything they send which has its 
downsides.

The upshot is that this would still allow compat with XDR.


3. Always pre-flight POSTs

This would abandon any hope of allowing XDR to use Access-Control as 
securit protocol.

Unless microsoft were able to implement preflights in IE8, but it seems 
like it's really late in their release schedule for such a large change.


One thing that I really like about proposal 1 is the simplicity. We 
would say "POST can be done cross origin without any checking, so you 
need to protect yourself against that". Any other proposal is basically 
"POST can be done cross origin without any checking, but only for these 
here values of the 'Content-Type' header. Except that it looks like in 
Access-Control you can rely on those requests not coming in. Oh, and if 
you are concerned about users of Flash and Silverlight being exploitable 
you do need to worry about all values for 'Content-Type'."

/ Jonas
Received on Thursday, 10 July 2008 02:17:54 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT