<form> POST versus Access Control POST

tlr has some doubts whether the distinction between <form> POST and Access  
Control POST is sufficient enough to give Access Control POST a preflight  
OPTIONS as it might led authors to think that they are protected against  
cross-site POST requests while in reality, if they don't do careful  
checking of the Content-Type header or require some kind of magic string  
previously obtained using a normal GET request, they are not.

We earlier decided to let authors perform the additional check and require  
the preflight OPTIONS so I'll leave the specification as is unless people  
start changing their minds...

Anne van Kesteren

Received on Wednesday, 16 January 2008 13:04:17 UTC