W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] TAG request concerning CORS & Next Step(s)

From: Bil Corry <bil@corry.biz>
Date: Wed, 24 Jun 2009 17:28:13 -0500
Message-ID: <4A42A87D.4060902@corry.biz>
To: Tyler Close <tyler.close@gmail.com>
CC: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>, Henry Thompson <ht@inf.ed.ac.uk>
Tyler Close wrote on 6/24/2009 4:26 PM: 
> On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking<jonas@sicking.cc> wrote:
>> On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close<tyler.close@gmail.com> wrote:
>>> Hi Jonas,
>>>
>>> I'm just asking what Origin header behavior will be shipped in Firefox
>>> 3.5. You've said redirects of preflighted requests aren't supported,
>>> so I'm wondering about the non-preflighted requests.
>> It will have the Origin header of the original request. We're
>> considering blocking the request entirely for now though.
> 
> Meaning the POST request is delivered to Site A, with an Origin header
> also identifying Site A, but with a Request-URI chosen by Site B. So
> Site B can cause the POST request to be sent to any resource on Site A
> and be processed under Site A's authority. I recommend against
> shipping that algorithm.

When this came up before, it was dismissed because "the practice of Site A submitting a form to untrusted site B is likely to be quite rare and easily avoidable":

	http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0108.html


- Bil
Received on Wednesday, 24 June 2009 22:28:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT