- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 05 Nov 2007 10:28:46 -0500
- To: "Thomas Roessler" <tlr@w3.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Mon, 05 Nov 2007 10:22:15 -0500, Thomas Roessler <tlr@w3.org> wrote: > There are two points here: > > 1. There is a design decision at least in Xforms to enable > cross-site POST with XML content. > > [2]. You are "vulnerable" to a cross-site POST if your *user* has > xforms support active. If you deploy a web application (or Web > Service) that is vulnerable to cross-site POST with an XML content > type, you probably have a problem. > > Together, these suggest to me that trying to avoid specifically XML > content in unattended cross-site POST requests (if they are caused > by XHR) is an exercise that's not worth the effort. Given that XForms isn't widely deployed at all I'm not sure we should simply declare cross-site POST with more capabilities than <form> POST safe. Also, we're trying to address more than POST and GET. >>>> <form> POST is not relevant to the discussion at hand. >>>> XMLHttpRequest POST follows the model with Method-Check, etc. >>> >>> You're not answering my question. >> >> I don't understand it then, I suppose. > > Key words: "from the perspective of the site that needs to handle > these requests" You already said that. I'm not sure how you think that helps. >>> There is a difference between deploying a web application and >>> deploying a different HTTP stack. > >> Well yes, some changes have to be made in order to support this. >> This is not that complicated though with typical server-side >> languages. > > We seemed to have a goal to do it all without server changes at some > point. Seems that has been lost. At some point this draft only addressed the GET case. We then merged the XMLHttpRequest Level 2 proposal for non-GET cases into this draft. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 5 November 2007 15:28:45 UTC