Tyler Close wrote on 6/24/2009 4:26 PM: > On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking<jonas@sicking.cc> wrote: >> On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close<tyler.close@gmail.com> wrote: >>> Hi Jonas, >>> >>> I'm just asking what Origin header behavior will be shipped in Firefox >>> 3.5. You've said redirects of preflighted requests aren't supported, >>> so I'm wondering about the non-preflighted requests. >> It will have the Origin header of the original request. We're >> considering blocking the request entirely for now though. > > Meaning the POST request is delivered to Site A, with an Origin header > also identifying Site A, but with a Request-URI chosen by Site B. So > Site B can cause the POST request to be sent to any resource on Site A > and be processed under Site A's authority. I recommend against > shipping that algorithm. When this came up before, it was dismissed because "the practice of Site A submitting a form to untrusted site B is likely to be quite rare and easily avoidable": http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0108.html - BilReceived on Wednesday, 24 June 2009 22:28:58 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT