Re: [AC] Preflight-less POST

Anne van Kesteren wrote:
> 
> On Thu, 10 Jul 2008 13:21:33 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Yes, I had gotten the impression that Flash would allow POSTs even if 
>> there was no /crossdomain.xml file. I.e. that it would allow the 
>> actual POST even if the preflight failed, it just wouldn't let you 
>> read the data.
>>
>> If I'm wrong that definitely changes things and makes option 1 much 
>> less viable.
> 
> It seems Björn has some other data than I have. I used the following 
> simple page together with request sniffing
> 
>   http://blog.monstuff.com/Flash4AJAX/static/Xdomain.html
> 
> to figure out if everything had a preflight /crossdomain.xml GET 
> request. Using Flash 9 on Ubuntu this appeared to be the case.
> 
> 
>>> Just allowing cross-site POST when Content-Type is 
>>> application/x-www-form-urlencoded or text/plain seems bad as it a) 
>>> encourages bad design to avoid a preflight and b) makes whitelisting 
>>> even more fine-grained. Initially the distinction was just on 
>>> methods, then it became headers, going further down to header values 
>>> seems like a bad idea to me. I'd much rather go back to just GET 
>>> versus everything else (i.e., methods).
>>
>> I agree it's bad, the question is if it's worse than option 3, which 
>> is to not have IE compatibility.
> 
> True. Another point to consider here is if we want compatibility with 
> HTML forms "Web Forms" as using Access Control would enable more 
> functionality for ordinary forms as well, such as exposing cross-site 
> return data and allowing the CHICKEN method.

Indeed. Though option 1 would also allow us to do that.

/ Jonas

Received on Wednesday, 16 July 2008 19:12:39 UTC