- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 23 Oct 2007 20:49:30 +0000 (UTC)
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 23 Oct 2007, Anne van Kesteren wrote: > > I think the idea is to limit those cross-site requests to requests that > don't include authentication information. That's not feasible at the > moment, but the argument is that he doesn't want this specification to > endorse that by saying that the cross-site requests should include > authentication information. Rather, that an authentication request > without authentication information is done first. This would be a huge pain to implement on Apache. > > What is the attack vector that is being mitigated by not allowing it? > > GETs are by definition supposed to be side-effect-free. > > I think "supposed" and "real world" are key words here. But why be practical here when the earlier argument (that we'll ever be able to stop doing this for <img>, etc) is a theoretical one? :-) How do you envisage ever stopping it for the other types? If we're not stopping it for them, there is really absolutely no point in making XHR more of a pain. I'm against requiring a preflight for GET requests. It's bad enough that we have to do one for POST. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 23 October 2007 20:49:58 UTC