- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 10 Jul 2008 08:15:17 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Webapps WG" <public-webapps@w3.org>
On Thu, 10 Jul 2008 04:10:00 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > Unfortunately when I brought this up at mozilla there was concern about > doing cross-site POSTing with content types other than what <form>s > already allow. The concern was that it could make servers exploitable, > which weren't today. It appears that FLash does a preflight GET to /crossdomain.xml for any cross-site requests. During the F2F I got the impression that this was not the case and I believe the idea of allowing cross-site POST was based on that not being the case. Just allowing cross-site POST when Content-Type is application/x-www-form-urlencoded or text/plain seems bad as it a) encourages bad design to avoid a preflight and b) makes whitelisting even more fine-grained. Initially the distinction was just on methods, then it became headers, going further down to header values seems like a bad idea to me. I'd much rather go back to just GET versus everything else (i.e., methods). -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 10 July 2008 06:15:46 UTC