W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [AC] Preflight-less POST

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 10 Jul 2008 08:15:17 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Webapps WG" <public-webapps@w3.org>
Message-ID: <op.ud2bnrok64w2qv@annevk-t60.oslo.opera.com>

On Thu, 10 Jul 2008 04:10:00 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Unfortunately when I brought this up at mozilla there was concern about  
> doing cross-site POSTing with content types other than what <form>s  
> already allow. The concern was that it could make servers exploitable,  
> which weren't today.

It appears that FLash does a preflight GET to /crossdomain.xml for any  
cross-site requests. During the F2F I got the impression that this was not  
the case and I believe the idea of allowing cross-site POST was based on  
that not being the case.

Just allowing cross-site POST when Content-Type is  
application/x-www-form-urlencoded or text/plain seems bad as it a)  
encourages bad design to avoid a preflight and b) makes whitelisting even  
more fine-grained. Initially the distinction was just on methods, then it  
became headers, going further down to header values seems like a bad idea  
to me. I'd much rather go back to just GET versus everything else (i.e.,  

Anne van Kesteren
Received on Thursday, 10 July 2008 06:15:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC