W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [AC] Preflight-less POST

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 10 Jul 2008 23:45:04 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Webapps WG" <public-webapps@w3.org>
Message-ID: <op.ud3ipekr64w2qv@annevk-t60.oslo.opera.com>

On Thu, 10 Jul 2008 13:21:33 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Yes, I had gotten the impression that Flash would allow POSTs even if  
> there was no /crossdomain.xml file. I.e. that it would allow the actual  
> POST even if the preflight failed, it just wouldn't let you read the  
> data.
> If I'm wrong that definitely changes things and makes option 1 much less  
> viable.

It seems Björn has some other data than I have. I used the following  
simple page together with request sniffing


to figure out if everything had a preflight /crossdomain.xml GET request.  
Using Flash 9 on Ubuntu this appeared to be the case.

>> Just allowing cross-site POST when Content-Type is  
>> application/x-www-form-urlencoded or text/plain seems bad as it a)  
>> encourages bad design to avoid a preflight and b) makes whitelisting  
>> even more fine-grained. Initially the distinction was just on methods,  
>> then it became headers, going further down to header values seems like  
>> a bad idea to me. I'd much rather go back to just GET versus everything  
>> else (i.e., methods).
> I agree it's bad, the question is if it's worse than option 3, which is  
> to not have IE compatibility.

True. Another point to consider here is if we want compatibility with HTML  
forms "Web Forms" as using Access Control would enable more functionality  
for ordinary forms as well, such as exposing cross-site return data and  
allowing the CHICKEN method.

Anne van Kesteren
Received on Thursday, 10 July 2008 21:45:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC