- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 16 Jan 2008 14:07:18 +0100
- To: "WAF WG (public)" <public-appformats@w3.org>
tlr has some doubts whether the distinction between <form> POST and Access Control POST is sufficient enough to give Access Control POST a preflight OPTIONS as it might led authors to think that they are protected against cross-site POST requests while in reality, if they don't do careful checking of the Content-Type header or require some kind of magic string previously obtained using a normal GET request, they are not. We earlier decided to let authors perform the additional check and require the preflight OPTIONS so I'll leave the specification as is unless people start changing their minds... -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 16 January 2008 13:04:17 UTC