Re: [CORS] Access-Control-Request-Method from Jonas Sicking on 2012-02-15 (public-webapps@w3.org from January to March 2012)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 15 Feb 2012 02:05:36 -0500
To: Anne van Kesteren <annevk@opera.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org, Adam Barth <abarth@gmail.com>, Odin Hørthe Omdal <odinho@opera.com>
Message-ID: <CA+c2ei_JgXhxJdDeixKwvHnh41u+5EEy4DjizoDHyjo0T2mAtA@mail.gmail.com>

On Tue, Feb 14, 2012 at 12:38 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 22 Dec 2011 17:05:08 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>
>> No, what I mean is this.  Say we enter
>> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request
>> with the following state:
>>
>> * "force preflight" flag is true
>> * Request method is simple method
>> * No author request headers
>> * Empty preflight cache (not that this matters)
>>
>> The spec says we should "follow the cross-origin request with preflight
>> algorithm."
>>
>> Following that link, it says:
>>
>>   Go to the next step if the following conditions are true:
>>
>>     For request method there either is a method cache match or it is a
>>     simple method.
>>
>>     For every header of author request headers there either is a header
>>     cache match for the field name or it is a simple header.
>>
>> Since the method is a simple method and there are no author request
>> headers, we skip the preflight and go on to the main request.
>>
>> Now it's possible that I simply don't understand what this flag is
>> _supposed_ to do or that I'm missing something....
>
>
> So the idea behind the force preflight flag is that there's a preflight
> request if upload event listeners are registered, because otherwise you can
> determine the existence of a server. Now the obvious way to fix CORS would
> be to add an additional condition in the text you quoted above, namely that
> the force preflight flag is unset; however, that would mean that caching is
> bypassed too.

Just add the "force preflight flag is unset" condition to only the "is
simple method" check. That way a cache hit still counts prevents a
preflight even if the force-flag is set.

Note that a cache hit can only happen if a preflight-check has been
successful *from the requesting origin*. So things should still be
safe.

At least that's how we have it implemented in Firefox.

/ Jonas

Received on Wednesday, 15 February 2012 07:06:34 UTC