W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [AC] Preflight-less POST

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 10 Jul 2008 06:21:33 -0500
Message-ID: <4875F0BD.3010902@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Webapps WG <public-webapps@w3.org>

Anne van Kesteren wrote:
> On Thu, 10 Jul 2008 04:10:00 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Unfortunately when I brought this up at mozilla there was concern 
>> about doing cross-site POSTing with content types other than what 
>> <form>s already allow. The concern was that it could make servers 
>> exploitable, which weren't today.
> 
> It appears that FLash does a preflight GET to /crossdomain.xml for any 
> cross-site requests. During the F2F I got the impression that this was 
> not the case and I believe the idea of allowing cross-site POST was 
> based on that not being the case.

Yes, I had gotten the impression that Flash would allow POSTs even if 
there was no /crossdomain.xml file. I.e. that it would allow the actual 
POST even if the preflight failed, it just wouldn't let you read the data.

If I'm wrong that definitely changes things and makes option 1 much less 
viable.

> Just allowing cross-site POST when Content-Type is 
> application/x-www-form-urlencoded or text/plain seems bad as it a) 
> encourages bad design to avoid a preflight and b) makes whitelisting 
> even more fine-grained. Initially the distinction was just on methods, 
> then it became headers, going further down to header values seems like a 
> bad idea to me. I'd much rather go back to just GET versus everything 
> else (i.e., methods).

I agree it's bad, the question is if it's worse than option 3, which is 
to not have IE compatibility.

/ Jonas
Received on Thursday, 10 July 2008 11:23:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT