On Thu, 10 Jul 2008 04:10:00 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > Unfortunately when I brought this up at mozilla there was concern about > doing cross-site POSTing with content types other than what <form>s > already allow. The concern was that it could make servers exploitable, > which weren't today. It appears that FLash does a preflight GET to /crossdomain.xml for any cross-site requests. During the F2F I got the impression that this was not the case and I believe the idea of allowing cross-site POST was based on that not being the case. Just allowing cross-site POST when Content-Type is application/x-www-form-urlencoded or text/plain seems bad as it a) encourages bad design to avoid a preflight and b) makes whitelisting even more fine-grained. Initially the distinction was just on methods, then it became headers, going further down to header values seems like a bad idea to me. I'd much rather go back to just GET versus everything else (i.e., methods). -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Thursday, 10 July 2008 06:15:46 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT