W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [AC] Preflight-less POST

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 10 Jul 2008 08:15:17 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Webapps WG" <public-webapps@w3.org>
Message-ID: <op.ud2bnrok64w2qv@annevk-t60.oslo.opera.com>

On Thu, 10 Jul 2008 04:10:00 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Unfortunately when I brought this up at mozilla there was concern about  
> doing cross-site POSTing with content types other than what <form>s  
> already allow. The concern was that it could make servers exploitable,  
> which weren't today.

It appears that FLash does a preflight GET to /crossdomain.xml for any  
cross-site requests. During the F2F I got the impression that this was not  
the case and I believe the idea of allowing cross-site POST was based on  
that not being the case.

Just allowing cross-site POST when Content-Type is  
application/x-www-form-urlencoded or text/plain seems bad as it a)  
encourages bad design to avoid a preflight and b) makes whitelisting even  
more fine-grained. Initially the distinction was just on methods, then it  
became headers, going further down to header values seems like a bad idea  
to me. I'd much rather go back to just GET versus everything else (i.e.,  
methods).


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 10 July 2008 06:15:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT